Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe

Overview

General Information

Sample name:4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
Analysis ID:1443933
MD5:a2c08a55b2b269965a786a352398596d
SHA1:1a12cd9455c3cb7b0b9b49c35f7c2deb1e1c316a
SHA256:f7b1909a121a8ae8df6f3c54043a14a3726fb0cbdcfdab1f273b26458b318910
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["94.156.8.28:65012"], "Bot Id": "3"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWindows_Trojan_RedLineStealer_f54632ebunknownunknown
      • 0x135ca:$a4: get_ScannedWallets
      • 0x12428:$a5: get_ScanTelegram
      • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
      • 0x1106a:$a7: <Processes>k__BackingField
      • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
      • 0x1099e:$a9: <ScanFTP>k__BackingField
      4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1048a:$u7: RunPE
      • 0x13b41:$u8: DownloadAndEx
      • 0x9130:$pat14: , CommandLine:
      • 0x13079:$v2_1: ListOfProcesses
      • 0x1068b:$v2_2: get_ScanVPN
      • 0x1072e:$v2_2: get_ScanFTP
      • 0x1141e:$v2_2: get_ScanDiscord
      • 0x1240c:$v2_2: get_ScanSteam
      • 0x12428:$v2_2: get_ScanTelegram
      • 0x124ce:$v2_2: get_ScanScreen
      • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
      • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
      • 0x13509:$v2_2: get_ScanBrowsers
      • 0x135ca:$v2_2: get_ScannedWallets
      • 0x135f0:$v2_2: get_ScanWallets
      • 0x13610:$v2_3: GetArguments
      • 0x11cd9:$v2_4: VerifyUpdate
      • 0x165de:$v2_4: VerifyUpdate
      • 0x139ca:$v2_5: VerifyScanRequest
      • 0x130c6:$v2_6: GetUpdates
      • 0x165bf:$v2_6: GetUpdates

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
        dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
              • 0x133ca:$a4: get_ScannedWallets
              • 0x12228:$a5: get_ScanTelegram
              • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
              • 0x10e6a:$a7: <Processes>k__BackingField
              • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
              • 0x1079e:$a9: <ScanFTP>k__BackingField
              Process Memory Space: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe PID: 4564JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe PID: 4564JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.100000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.0.4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.100000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.0.4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.100000.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                      • 0x135ca:$a4: get_ScannedWallets
                      • 0x12428:$a5: get_ScanTelegram
                      • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
                      • 0x1106a:$a7: <Processes>k__BackingField
                      • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                      • 0x1099e:$a9: <ScanFTP>k__BackingField
                      0.0.4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.100000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                      • 0x1048a:$u7: RunPE
                      • 0x13b41:$u8: DownloadAndEx
                      • 0x9130:$pat14: , CommandLine:
                      • 0x13079:$v2_1: ListOfProcesses
                      • 0x1068b:$v2_2: get_ScanVPN
                      • 0x1072e:$v2_2: get_ScanFTP
                      • 0x1141e:$v2_2: get_ScanDiscord
                      • 0x1240c:$v2_2: get_ScanSteam
                      • 0x12428:$v2_2: get_ScanTelegram
                      • 0x124ce:$v2_2: get_ScanScreen
                      • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
                      • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
                      • 0x13509:$v2_2: get_ScanBrowsers
                      • 0x135ca:$v2_2: get_ScannedWallets
                      • 0x135f0:$v2_2: get_ScanWallets
                      • 0x13610:$v2_3: GetArguments
                      • 0x11cd9:$v2_4: VerifyUpdate
                      • 0x165de:$v2_4: VerifyUpdate
                      • 0x139ca:$v2_5: VerifyScanRequest
                      • 0x130c6:$v2_6: GetUpdates
                      • 0x165bf:$v2_6: GetUpdates

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeAvira: detected
                      Found malware configuration
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeMalware Configuration Extractor: RedLine {"C2 url": ["94.156.8.28:65012"], "Bot Id": "3"}
                      Multi AV Scanner detection for submitted file
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeVirustotal: Detection: 79%Perma Link
                      Machine Learning detection for sample
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeJoe Sandbox ML: detected
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 94.156.8.28:65012
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 94.156.8.28 ports 65012,0,1,2,5,6
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 65012
                      Source: unknownNetwork traffic detected: HTTP traffic on port 65012 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 65012
                      Source: unknownNetwork traffic detected: HTTP traffic on port 65012 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 65012 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 65012
                      Source: unknownNetwork traffic detected: HTTP traffic on port 65012 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 65012
                      Source: unknownNetwork traffic detected: HTTP traffic on port 65012 -> 49733
                      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 94.156.8.28:65012
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 94.156.8.28:65012Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 94.156.8.28:65012Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 94.156.8.28:65012Content-Length: 982700Expect: 100-continueAccept-Encoding: gzip, deflate
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 94.156.8.28:65012Content-Length: 982692Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: Joe Sandbox ViewASN Name: NET1-ASBG NET1-ASBG
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 94.156.8.28
                      Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 94.156.8.28:65012Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.156.8.28:6
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.156.8.28:65012
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.156.8.28:65012/
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000024EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://94.156.8.28:65012t-
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000024EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.0000000002412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.0000000002412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023F0000.00000004.00000800.00020000.00000000.sdmp, 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.0000000002545000.00000004.00000800.00020000.00000000.sdmp, 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmp, 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.0000000002431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                      Source: tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                      Source: tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeString found in binary or memory: https://ipinfo.io/ip%appdata%
                      Source: tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, type: SAMPLEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 0.0.4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                      Source: 0.0.4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                      Source: Process Memory Space: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe PID: 4564, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeCode function: 0_2_0083E7B0
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeCode function: 0_2_0083DC90
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeCode function: 0_2_05D34468
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeCode function: 0_2_05D39628
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeCode function: 0_2_05D33311
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeCode function: 0_2_05D31210
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeCode function: 0_2_05D3DD00
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeCode function: 0_2_05D3D108
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1768230385.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.0000000002431000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeBinary or memory string: OriginalFilenameImplosions.exe4 vs 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, type: SAMPLEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 0.0.4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                      Source: 0.0.4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                      Source: Process Memory Space: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe PID: 4564, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/47@1/1
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3E62.tmpJump to behavior
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: tmp76FA.tmp.0.dr, tmp76E8.tmp.0.dr, tmp3E62.tmp.0.dr, tmp76E9.tmp.0.dr, tmp770B.tmp.0.dr, tmp3E72.tmp.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeVirustotal: Detection: 79%
                      Source: unknownProcess created: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe "C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe"
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: version.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: wldp.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: profapi.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: rasapi32.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: rasman.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: rtutils.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: secur32.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: schannel.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: userenv.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: amsi.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeSection loaded: windowscodecs.dll
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeStatic PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 65012
                      Source: unknownNetwork traffic detected: HTTP traffic on port 65012 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 65012
                      Source: unknownNetwork traffic detected: HTTP traffic on port 65012 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 65012 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 65012
                      Source: unknownNetwork traffic detected: HTTP traffic on port 65012 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 65012
                      Source: unknownNetwork traffic detected: HTTP traffic on port 65012 -> 49733
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeMemory allocated: 830000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeMemory allocated: 23A0000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeMemory allocated: 43A0000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWindow / User API: threadDelayed 1777
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWindow / User API: threadDelayed 7446
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe TID: 5676Thread sleep time: -27670116110564310s >= -30000s
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe TID: 4960Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe TID: 2364Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeThread delayed: delay time: 922337203685477
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1768230385.0000000000613000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1768230385.0000000000613000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1808208654.0000000006FD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.100000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe PID: 4564, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxxLiberty
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\wallets
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum\lm
                      Source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Roaming\atomic\
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\
                      Source: C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
                      Source: Yara matchFile source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.100000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe PID: 4564, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.100000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe PID: 4564, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		231
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol3
                      Data from Local System                      		11
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                      Virtualization/Sandbox Evasion                      		Security Account Manager241
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture12
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets113
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe79%VirustotalBrowse
                      4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe100%AviraHEUR/AGEN.1305500
                      4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      api.ip.sb0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://ipinfo.io/ip%appdata%0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX0%URL Reputationsafe
                      https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
                      https://api.ip.sb0%URL Reputationsafe
                      https://api.ip.sb/geoip0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                      http://tempuri.org/0%URL Reputationsafe
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                      https://www.ecosia.org/newtab/0%URL Reputationsafe
                      https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                      https://api.ipify.orgcookies//settinString.Removeg0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/actor/next0%URL Reputationsafe
                      https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/CheckConnectResponse0%Avira URL Cloudsafe
                      https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                      94.156.8.28:650120%Avira URL Cloudsafe
                      https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                      https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                      https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                      http://tempuri.org/Endpoint/EnvironmentSettings0%Avira URL Cloudsafe
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/VerifyUpdateResponse1%VirustotalBrowse
                      http://94.156.8.28:65012/1%VirustotalBrowse
                      http://tempuri.org/Endpoint/CheckConnect2%VirustotalBrowse
                      http://tempuri.org/Endpoint/EnvironmentSettings2%VirustotalBrowse
                      http://tempuri.org/Endpoint/CheckConnectResponse1%VirustotalBrowse
                      https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                      94.156.8.28:650121%VirustotalBrowse
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
                      http://tempuri.org/Endpoint/CheckConnect0%Avira URL Cloudsafe
                      http://94.156.8.28:65012/0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/SetEnviron0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/VerifyUpdateResponse0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/SetEnvironment0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/SetEnvironmentResponse0%Avira URL Cloudsafe
                      http://94.156.8.28:65012t-0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/GetUpdates0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/GetUpdatesResponse0%Avira URL Cloudsafe
                      http://94.156.8.28:650120%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/SetEnviron1%VirustotalBrowse
                      http://tempuri.org/Endpoint/EnvironmentSettingsResponse0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/VerifyUpdate0%Avira URL Cloudsafe
                      http://tempuri.org/Endpoint/SetEnvironmentResponse1%VirustotalBrowse
                      http://tempuri.org/Endpoint/SetEnvironment1%VirustotalBrowse
                      http://tempuri.org/00%Avira URL Cloudsafe
                      http://94.156.8.28:650121%VirustotalBrowse
                      http://94.156.8.28:60%Avira URL Cloudsafe
                      http://tempuri.org/00%VirustotalBrowse
                      http://tempuri.org/Endpoint/GetUpdatesResponse1%VirustotalBrowse
                      http://tempuri.org/Endpoint/GetUpdates1%VirustotalBrowse
                      http://tempuri.org/Endpoint/EnvironmentSettingsResponse1%VirustotalBrowse
                      http://94.156.8.28:61%VirustotalBrowse
                      http://tempuri.org/Endpoint/VerifyUpdate1%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.ip.sb
                      		unknown
                      		unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      94.156.8.28:65012true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://94.156.8.28:65012/true
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://ipinfo.io/ip%appdata%4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exefalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/chrome_newtabtmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/ac/?q=tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.google.com/images/branding/product/ico/googleg_lodp.icotmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/CheckConnectResponse4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.datacontract.org/2004/07/4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000024EF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/EnvironmentSettings4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023F0000.00000004.00000800.00020000.00000000.sdmp, 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ip.sb/geoip%USERPEnvironmentROFILE%4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exefalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ip.sb4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023F0000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ip.sb/geoip4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023F0000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/envelope/4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.0000000002412000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.0000000002412000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/CheckConnect4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.ecosia.org/newtab/tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/VerifyUpdateResponse4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/SetEnviron4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/SetEnvironment4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmp, 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmp, 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.0000000002431000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/SetEnvironmentResponse4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://94.156.8.28:65012t-4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000024EF000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/GetUpdates4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.0000000002545000.00000004.00000800.00020000.00000000.sdmp, 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ac.ecosia.org/autocomplete?q=tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ipify.orgcookies//settinString.Removeg4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exefalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Endpoint/GetUpdatesResponse4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://94.156.8.28:650124ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000024EF000.00000004.00000800.00020000.00000000.sdmp, 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/EnvironmentSettingsResponse4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Endpoint/VerifyUpdate4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/04ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://94.156.8.28:64ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.000000000254D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmp771B.tmp.0.dr, tmp773D.tmp.0.dr, tmpAF68.tmp.0.dr, tmpAF58.tmp.0.dr, tmpAF79.tmp.0.dr, tmpE726.tmp.0.dr, tmpAFAA.tmp.0.dr, tmp772D.tmp.0.dr, tmpAF8A.tmp.0.dr, tmpAF47.tmp.0.dr, tmp775E.tmp.0.dr, tmp771C.tmp.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/actor/next4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe, 00000000.00000002.1769960998.00000000023A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      94.156.8.28
                      		unknownBulgaria
                      		43561NET1-ASBGtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1443933
                      Start date and time:2024-05-19 06:00:08 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 11s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:5
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@2/47@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                      • TCP Packets have been reduced to 100
                      • Excluded IPs from analysis (whitelisted): 172.67.75.172, 104.26.12.31, 104.26.13.31
                      • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      00:01:03API Interceptor49x Sleep call for process: 4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):2666
                      Entropy (8bit):5.345804351520589
                      Encrypted:false
                      SSDEEP:48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHxLHG1qHjHKd2:vq5qxqdqolqztYqh3oPtI6mq7qoT5RL9
                      MD5:3D3B62B70DF65C6D62C6B068D7256706
                      SHA1:03CCEE715BD3299367368426E025742C869155B0
                      SHA-256:7373A8D46BC57A95D1C80A2FCD34FF0238B7A0981147FBEA9C28F32F46C653BB
                      SHA-512:E259F86B1107BCBFA7F72AB3D199F13AF10644848398DD02D22012B626F353A9EE6865A16E5EA39A7657727D3DA6384F7EA424D8ADEA8F4162C106E90737D559
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

                      C:\Users\user\AppData\Local\Temp\tmp1E9A.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1EAA.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1EBB.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1ECB.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1EDC.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1EED.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1EFD.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp1EFE.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp3E62.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp3E72.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp55A0.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp55B0.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp55C1.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp55D2.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):98304
                      Entropy (8bit):0.08235737944063153
                      Encrypted:false
                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp55E2.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):98304
                      Entropy (8bit):0.08235737944063153
                      Encrypted:false
                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp76E8.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp76E9.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp76FA.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp770B.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):40960
                      Entropy (8bit):0.8553638852307782
                      Encrypted:false
                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                      MD5:28222628A3465C5F0D4B28F70F97F482
                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp771B.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp771C.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp772D.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp773D.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmp775E.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAF47.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAF58.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAF68.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAF79.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAF8A.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpAFAA.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE726.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                      Category:dropped
                      Size (bytes):106496
                      Entropy (8bit):1.1358696453229276
                      Encrypted:false
                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                      Malicious:false
                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE746.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE757.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE768.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE769.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE779.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE77A.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                      Category:dropped
                      Size (bytes):49152
                      Entropy (8bit):0.8180424350137764
                      Encrypted:false
                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                      MD5:349E6EB110E34A08924D92F6B334801D
                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                      Malicious:false
                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpE78B.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                      Category:dropped
                      Size (bytes):114688
                      Entropy (8bit):0.9746603542602881
                      Encrypted:false
                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                      Malicious:false
                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\tmpF80F.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.690067217069288
                      Encrypted:false
                      SSDEEP:12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
                      MD5:4E32787C3D6F915D3CB360878174E142
                      SHA1:57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
                      SHA-256:2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
                      SHA-512:CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
                      Malicious:false
                      Preview:AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

                      C:\Users\user\AppData\Local\Temp\tmpF81F.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.705615236042988
                      Encrypted:false
                      SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                      MD5:159C7BA9D193731A3AAE589183A63B3F
                      SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                      SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                      SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                      Malicious:false
                      Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                      C:\Users\user\AppData\Local\Temp\tmpF820.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.70435191336402
                      Encrypted:false
                      SSDEEP:24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
                      MD5:8C1F71001ABC7FCE68B3F15299553CE7
                      SHA1:382285FB69081EB79C936BC4E1BFFC9D4697D881
                      SHA-256:DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
                      SHA-512:8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
                      Malicious:false
                      Preview:NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

                      C:\Users\user\AppData\Local\Temp\tmpF821.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.69156792375111
                      Encrypted:false
                      SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                      MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                      SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                      SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                      SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                      Malicious:false
                      Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                      C:\Users\user\AppData\Local\Temp\tmpF832.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.690067217069288
                      Encrypted:false
                      SSDEEP:12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
                      MD5:4E32787C3D6F915D3CB360878174E142
                      SHA1:57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
                      SHA-256:2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
                      SHA-512:CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
                      Malicious:false
                      Preview:AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

                      C:\Users\user\AppData\Local\Temp\tmpF833.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.705615236042988
                      Encrypted:false
                      SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                      MD5:159C7BA9D193731A3AAE589183A63B3F
                      SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                      SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                      SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                      Malicious:false
                      Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                      C:\Users\user\AppData\Local\Temp\tmpF844.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.70435191336402
                      Encrypted:false
                      SSDEEP:24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
                      MD5:8C1F71001ABC7FCE68B3F15299553CE7
                      SHA1:382285FB69081EB79C936BC4E1BFFC9D4697D881
                      SHA-256:DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
                      SHA-512:8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
                      Malicious:false
                      Preview:NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

                      C:\Users\user\AppData\Local\Temp\tmpF845.tmp

                      Download File
                      Process:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                      Category:dropped
                      Size (bytes):1026
                      Entropy (8bit):4.69156792375111
                      Encrypted:false
                      SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                      MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                      SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                      SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                      SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                      Malicious:false
                      Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                      Static File Info

                      General

                      File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):5.960015598587119
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      • Win32 Executable (generic) a (10002005/4) 49.75%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Windows Screen Saver (13104/52) 0.07%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      File name:4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      File size:97'792 bytes
                      MD5:a2c08a55b2b269965a786a352398596d
                      SHA1:1a12cd9455c3cb7b0b9b49c35f7c2deb1e1c316a
                      SHA256:f7b1909a121a8ae8df6f3c54043a14a3726fb0cbdcfdab1f273b26458b318910
                      SHA512:704f9d67ea229f4d1dbeff83110c2237f3c847c3dbe3e40caff180a8bccee083eeebecd0b806c65db7a0ad1bd776b080578abc68eda4ae6b94c391eabf7012e1
                      SSDEEP:1536:Jqskqq+zlbG6jejoigIT43Ywzi0Zb78ivombfexv0ujXyyed2jteulgS6pt:nPpZYT+zi0ZbYe1g0ujyzdft
                      TLSH:82A35D2067AC9F19EAFD1B74B4B2012043F1E08A9091FB4A4DC164E71FA7B865957FF2
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..t............... ........@.. ....................................@................................

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0x41932e
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows cui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x192d40x57.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x4de.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c0000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x173340x174005c8313ca62b34586154966bf1d23bc54False0.4486307123655914data6.015064086426226IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0x1a0000x4de0x600e3145af1e7dfa1e41fe7799ae002b612False0.3756510416666667data3.723940100220831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x1c0000xc0x2005d15b3ed438a3ab0253bd60fcc035f5dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0x1a0a00x254data0.4597315436241611
                      RT_MANIFEST0x1a2f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 19, 2024 06:00:56.425894022 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:00:56.431197882 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:00:56.431329966 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:00:56.449484110 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:00:56.483715057 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:00:56.798177958 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:00:56.803571939 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:00:57.207339048 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:00:57.248821020 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:01:02.309808969 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:01:02.309885025 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:01:02.315361023 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:01:02.320954084 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:01:02.550378084 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:01:02.592565060 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:01:03.363182068 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:01:03.364418983 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:01:03.364629030 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:01:03.367120028 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:01:03.367166996 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:01:03.367312908 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:01:03.370002031 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:01:03.370037079 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:01:03.370181084 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.433940887 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.434721947 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.439693928 CEST650124973094.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.439800978 CEST4973065012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.444442034 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.444531918 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.445303917 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.495578051 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.796045065 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.801430941 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.801598072 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.806200981 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.806260109 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.806293011 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.806297064 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.806325912 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.806341887 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.806355000 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.806382895 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.806390047 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.806410074 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.806427002 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.806437969 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.806462049 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.806466103 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.806504965 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.806529999 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.811012030 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.811117887 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.815706968 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.815737963 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.815764904 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.815804958 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.815813065 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.815833092 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.815845013 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.815865993 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.815942049 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.854878902 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.855273962 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.902883053 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.903117895 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.951004982 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.951200962 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.987786055 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.988104105 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.993386030 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.993463993 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998147011 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998193026 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998222113 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998246908 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998250961 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998271942 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998281002 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998290062 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998310089 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998317957 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998337984 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998346090 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998366117 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998378992 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998394966 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998409986 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998421907 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998430014 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998450041 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998460054 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998477936 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998485088 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998505116 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998518944 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998533964 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998542070 CEST4973265012192.168.2.494.156.8.28
                      May 19, 2024 06:01:06.998563051 CEST650124973294.156.8.28192.168.2.4
                      May 19, 2024 06:01:06.998588085 CEST4973265012192.168.2.494.156.8.28

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      May 19, 2024 06:01:03.412743092 CEST6299353192.168.2.41.1.1.1

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      May 19, 2024 06:01:03.412743092 CEST192.168.2.41.1.1.10x16c4Standard query (0)api.ip.sbA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      May 19, 2024 06:01:03.420180082 CEST1.1.1.1192.168.2.40x16c4No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • 94.156.8.28:65012

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:00:00:54
                      Start date:19/05/2024
                      Path:C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\4ee06ed334e98fe42fe34b41e528397a22f370bf165d40e07dbd6a2b6d88014d_payload.exe"
                      Imagebase:0x100000
                      File size:97'792 bytes
                      MD5 hash:A2C08A55B2B269965A786A352398596D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000000.1623079443.0000000000102000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:1
                      Start time:00:00:54
                      Start date:19/05/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      No disassembly