Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:setup.exe
Analysis ID:1465706
MD5:9ab4de8b2f2b99f009d32aa790cd091b
SHA1:a86b16ee4676850bac14c50ee698a39454d0231e
SHA256:8a254344702dc6560312a8028e08f844b16804b1fbf4c438c3ca5058d7b65ea1
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • setup.exe (PID: 6184 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 9AB4DE8B2F2B99F009D32AA790CD091B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.215.113.67:40960"], "Bot Id": "newbuild", "Authorization Header": "e4460bd99c868950f0858f084a0e3d16"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
setup.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.2017236310.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.2203057075.0000000003729000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: setup.exe PID: 6184JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: setup.exe PID: 6184JoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.setup.exe.ff0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:07/02/24-00:25:59.433462
                    SID:2046045
                    Source Port:49704
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/02/24-00:26:14.135474
                    SID:2043231
                    Source Port:49704
                    Destination Port:40960
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/02/24-00:25:59.726927
                    SID:2043234
                    Source Port:40960
                    Destination Port:49704
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:07/02/24-00:26:05.090960
                    SID:2046056
                    Source Port:40960
                    Destination Port:49704
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: setup.exeMalware Configuration Extractor: RedLine {"C2 url": ["185.215.113.67:40960"], "Bot Id": "newbuild", "Authorization Header": "e4460bd99c868950f0858f084a0e3d16"}
                    Multi AV Scanner detection for submitted file
                    Source: setup.exeReversingLabs: Detection: 76%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: setup.exeJoe Sandbox ML: detected
                    Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.logJump to behavior
                    Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49704 -> 185.215.113.67:40960
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49704 -> 185.215.113.67:40960
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 185.215.113.67:40960 -> 192.168.2.5:49704
                    Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 185.215.113.67:40960 -> 192.168.2.5:49704
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 185.215.113.67:40960
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 185.215.113.67:40960
                    Source: global trafficHTTP traffic detected: GET /tanosx/clockbrix/downloads/prxtag.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                    Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                    Source: Joe Sandbox ViewIP Address: 185.215.113.67 185.215.113.67
                    Source: Joe Sandbox ViewIP Address: 185.215.113.67 185.215.113.67
                    Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.67
                    Source: global trafficHTTP traffic detected: GET /tanosx/clockbrix/downloads/prxtag.exe HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: bitbucket.org
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: envoyx-usage-quota-remaining: 997480.961vary: Accept-Language, Origin, Accept-Encodingx-usage-request-cost: 2563.47Cache-Control: max-age=900Content-Type: text/html; charset=utf-8x-b3-traceid: 608c14562ee70ef5x-usage-output-ops: 0x-used-mesh: Falsex-dc-location: Micros-3content-security-policy: frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; base-uri 'self'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; object-src 'none'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/ 'nonce-nncdEFU6YhB4lFDn4Mogow=='; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-websiteStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadDate: Mon, 01 Jul 2024 22:26:15 GMTx-usage-user-time: 0.071072x-usage-system-time: 0.005832x-served-by: 2648214a29f8x-envoy-upstream-service-time: 168content-language: enx-view-name: bitbucket.apps.downloads.views.download_filex-b3-spanid: 608c14562ee70ef5Accept-Ranges: bytesetag: "6709077854bfefd46974d6979771a73e"x-static-version: a022e62940a9x-render-time: 0.15799331665039062Connection: closex-usage-input-ops: 0x-version: a022e629
                    Source: setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bitbucket.org
                    Source: setup.exe, 00000000.00000002.2212604933.000000000737B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003594000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.0000000003729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: setup.exe, 00000000.00000002.2203057075.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.0000000003594000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: setup.exe, 00000000.00000002.2203057075.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: setup.exe, 00000000.00000002.2203057075.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://admin.atlassian.com
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.bitbucket.org
                    Source: setup.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/%7B9a2f3b3c-ec24-4dcf-8114-c0f169fa8de1%7D/
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/account/tanosx/avatar/
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-builds
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/blog/wp-json/wp/v2/posts?categories=196&context=embed&per_page=6&orderby=date&
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/gateway/api/emoji/
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/tanosx/clockbrix
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/tanosx/clockbrix.git
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003594000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/tanosx/clockbrix/downloads/prxtag.exe
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.status.atlassian.com/
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bqlf8qjztdtr.statuspage.io
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bytebucket.org/ravatar/%7B443a209f-571f-419b-a313-2df7ae8bbefa%7D?ts=default
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d136azpfpnge1l.cloudfront.net/
                    Source: setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
                    Source: setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/css/entry/adg3-skeleton-nav.css
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/css/entry/adg3.css
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/css/entry/app.css
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/css/entry/vendor-aui-8.css
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/app.js
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/aui-8.js
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/early.js
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/locales/en.js
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/sentry.js
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/vendor.js
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/default_avatar/u
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/default_avatar/user_blue.svg
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/logos/bitbucket/android-chrome-192x192.png
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/logos/bitbucket/apple-t
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/logos/bitbucket/apple-touch-icon.png
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/logos/bitbucket/mstile-150x150.png
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/logos/bitbucket/safari-pinned-tab.svg
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/jsi18n/en/djangojs.js
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login?prompt=login&continue=https%3A%2F%2Fbitbucket.org%2Ftanosx%2Fcloc
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/logout
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/manage-profile/
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/profile/rest/profile"
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://preferences.atlassian.com
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
                    Source: setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.atlassian.com/try/cloud/signup?bundle=bitbucket
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownHTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_017CDC740_2_017CDC74
                    Source: setup.exe, 00000000.00000000.2017367771.0000000001034000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMalleoli.exe8 vs setup.exe
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs setup.exe
                    Source: setup.exe, 00000000.00000002.2202135537.0000000001428000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs setup.exe
                    Source: setup.exeBinary or memory string: OriginalFilenameMalleoli.exe8 vs setup.exe
                    Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@1/2
                    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\6.exeJump to behavior
                    Source: setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: setup.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.0000000003B92000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: setup.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32Jump to behavior
                    Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: setup.exeStatic PE information: 0xF7A57283 [Tue Aug 30 03:18:27 2101 UTC]
                    Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\setup.exeMemory allocated: 17A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeMemory allocated: 3500000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeWindow / User API: threadDelayed 2371Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeWindow / User API: threadDelayed 7434Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exe TID: 2276Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\setup.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: setup.exe, 00000000.00000002.2202135537.0000000001513000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: setup.exe, 00000000.00000002.2205843023.0000000004844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: setup.exe, 00000000.00000002.2205843023.000000000480F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: C:\Users\user\Desktop\setup.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Users\user\Desktop\setup.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\setup.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: setup.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.setup.exe.ff0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2017236310.0000000000FF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: setup.exe PID: 6184, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003594000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $cq2C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRcqH`
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRcq
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003594000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $cq%appdata%`,cqdC:\Users\user\AppData\Roaming`,cqdC:\Users\user\AppData\Roaming\Binance
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003594000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $cq&%localappdata%\Coinomi\Coinomi\walletsLRcq<>
                    Source: setup.exe, 00000000.00000002.2203057075.0000000003729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $cq6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2203057075.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: setup.exe PID: 6184, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: setup.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.setup.exe.ff0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2017236310.0000000000FF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: setup.exe PID: 6184, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		221
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive3
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets113
                    System Information Discovery                    		SSHKeylogging14
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    setup.exe76%ReversingLabsByteCode-MSIL.Trojan.RedLine
                    setup.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://tempuri.org/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement0%URL Reputationsafe
                    http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                    http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                    https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-builds0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                    https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/logos/bitbucket/mstile-150x150.png0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                    https://bitbucket.status.atlassian.com/0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                    https://aui-cdn.atlassian.com/0%Avira URL Cloudsafe
                    https://id.atlassian.com/profile/rest/profile&quot;0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                    https://bitbucket.org/gateway/api/emoji/0%Avira URL Cloudsafe
                    https://bqlf8qjztdtr.statuspage.io0%Avira URL Cloudsafe
                    https://bitbucket.org0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                    https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/logos/bitbucket/android-chrome-192x192.png0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                    https://d301sr5gafysq2.cloudfront.net/a022e62940a9/css/entry/vendor-aui-8.css0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                    https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/default_avatar/user_blue.svg0%Avira URL Cloudsafe
                    https://id.atlassian.com/login0%Avira URL Cloudsafe
                    https://id.atlassian.com/logout0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                    https://id.atlassian.com/manage-profile/0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                    https://bitbucket.org/tanosx/clockbrix.git0%Avira URL Cloudsafe
                    https://cdn.cookielaw.org/0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                    https://d136azpfpnge1l.cloudfront.net/0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                    https://admin.atlassian.com0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                    https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/early.js0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%Avira URL Cloudsafe
                    https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/locales/en.js0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce0%Avira URL Cloudsafe
                    http://tempuri.org/D0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/06/addressingex0%Avira URL Cloudsafe
                    https://bitbucket.org/account/tanosx/avatar/0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ15100%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id13Response0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12ResponseD0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct0%Avira URL Cloudsafe
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA10%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA10%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id7ResponseD0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id4ResponseD0%Avira URL Cloudsafe
                    https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/logos/bitbucket/apple-touch-icon.png0%Avira URL Cloudsafe
                    https://web-security-reports.services.atlassian.com/csp-report/bb-website0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2002/12/policy0%Avira URL Cloudsafe
                    https://bitbucket.org/tanosx/clockbrix0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id22Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id22ResponseD0%Avira URL Cloudsafe
                    185.215.113.67:409600%Avira URL Cloudsafe
                    https://d136azpfpnge1l.cloudfront.net/;0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id16ResponseD0%Avira URL Cloudsafe
                    https://d301sr5gafysq2.cloudfront.net/a022e62940a9/css/entry/adg3.css0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    bitbucket.org
                    		104.192.141.1
                    		truefalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      185.215.113.67:40960true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dksetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id23ResponseDsetup.exe, 00000000.00000002.2203057075.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id12Responsesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/setup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id2Responsesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-buildssetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id21Responsesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id6ResponseDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/logos/bitbucket/mstile-150x150.pngsetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id13ResponseDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://bitbucket.status.atlassian.com/setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsatsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://id.atlassian.com/profile/rest/profile&quot;setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://aui-cdn.atlassian.com/setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id15Responsesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://bitbucket.org/gateway/api/emoji/setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://bqlf8qjztdtr.statuspage.iosetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://bitbucket.orgsetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036DE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://d301sr5gafysq2.cloudfront.net/a022e62940a9/css/entry/vendor-aui-8.csssetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registersetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/logos/bitbucket/android-chrome-192x192.pngsetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeysetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/default_avatar/user_blue.svgsetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ip.sb/ipsetup.exefalse
                      • URL Reputation: safe
                      		unknown
                      https://id.atlassian.com/loginsetup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id1ResponseDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://id.atlassian.com/logoutsetup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id24Responsesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedsetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://id.atlassian.com/manage-profile/setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegosetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id21ResponseDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressingsetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://bitbucket.org/tanosx/clockbrix.gitsetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://cdn.cookielaw.org/setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id10ResponseDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://d136azpfpnge1l.cloudfront.net/setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsesetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id5Responsesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnssetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id15ResponseDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.0000000003729000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id10Responsesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Renewsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id8Responsesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://admin.atlassian.comsetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentitysetup.exe, 00000000.00000002.2203057075.0000000003594000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeysetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/early.jssetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/locales/en.jssetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.000000000370A000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollbacksetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Dsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/06/addressingexsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/Noncesetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponsesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://bitbucket.org/account/tanosx/avatar/setup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id13Responsesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id12ResponseDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Committedsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1setup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertysetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/sctsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id7ResponseDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementsetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://tempuri.org/Entity/Id4ResponseDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://d301sr5gafysq2.cloudfront.net/a022e62940a9/img/logos/bitbucket/apple-touch-icon.pngsetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://web-security-reports.services.atlassian.com/csp-report/bb-websitesetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrapsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2002/12/policysetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://bitbucket.org/tanosx/clockbrixsetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id22Responsesetup.exe, 00000000.00000002.2203057075.0000000003501000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2203057075.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id22ResponseDsetup.exe, 00000000.00000002.2203057075.00000000036BB000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://tempuri.org/Entity/Id16ResponseDsetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://d136azpfpnge1l.cloudfront.net/;setup.exe, 00000000.00000002.2203057075.00000000036EE000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issuesetup.exe, 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://d301sr5gafysq2.cloudfront.net/a022e62940a9/css/entry/adg3.csssetup.exe, 00000000.00000002.2203057075.000000000370E000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      104.192.141.1
                      		bitbucket.orgUnited States
                      		16509AMAZON-02USfalse
                      185.215.113.67
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1465706
                      Start date and time:2024-07-02 00:25:08 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 46s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:5
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:setup.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@1/1@1/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 12
                      • Number of non-executed functions: 1
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: setup.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      18:26:08API Interceptor59x Sleep call for process: setup.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      104.192.141.1A662vmc5co.exeGet hashmaliciousUnknownBrowse
                      • bitbucket.org/kennethoswald1/aoz918/downloads/LEraggt.exe
                      lahPWgosNP.exeGet hashmaliciousAmadeyBrowse
                      • bitbucket.org/alex222111/testproj/downloads/s7.exe
                      SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                      SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                      SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets
                      SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets
                      Paid invoice.ppaGet hashmaliciousAgentTeslaBrowse
                      • bitbucket.org/!api/2.0/snippets/warzonepro/Egjbp5/1b96dd9b300f88e62e18db3170d33bf037793d72/files/euromanmain
                      PO#1487958_10.ppaGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets/warzonepro/KME7g4/7678df565d5a8824274645a03590fc72588243f0/files/orignalfinal
                      Purchase Inquiry_pdf.ppaGet hashmaliciousAgentTeslaBrowse
                      • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                      Purchase Inquiry_pdf.ppaGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                      185.215.113.67oMHveSc3hh.exeGet hashmaliciousAmadey RaccoonBrowse
                      • 185.215.113.67/4dcYcWsw3/index.php
                      0KuDEDABFO.exeGet hashmaliciousAmadey RaccoonBrowse
                      • 185.215.113.67/4dcYcWsw3/index.php
                      miOnrvnXK0.exeGet hashmaliciousAmadey RaccoonBrowse
                      • 185.215.113.67/4dcYcWsw3/index.php
                      Rh74sODsWE.exeGet hashmaliciousAmadey RaccoonBrowse
                      • 185.215.113.67/4dcYcWsw3/index.php
                      dSQUdo6EjO.exeGet hashmaliciousAmadey RaccoonBrowse
                      • 185.215.113.67/4dcYcWsw3/index.php
                      usVhwck8lN.exeGet hashmaliciousAmadey RaccoonBrowse
                      • 185.215.113.67/4dcYcWsw3/index.php
                      SecuriteInfo.com.W32.AIDetect.malware1.20102.exeGet hashmaliciousAmadeyBrowse
                      • 185.215.113.67/4dcYcWsw3/index.php
                      MR98F1zzeo.exeGet hashmaliciousAmadey Raccoon VidarBrowse
                      • 185.215.113.67/4dcYcWsw3/index.php
                      8f5718a6042061b23a4e42ee5cd8112946c135dc9d0c2.exeGet hashmaliciousAmadeyBrowse
                      • 185.215.113.67/4dcYcWsw3/index.php
                      fC4T1vVs24.exeGet hashmaliciousAmadeyBrowse
                      • umbrelladownload.uno/gp6GbqVce/index.php

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      bitbucket.org1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                      • 104.192.141.1
                      1719520929.094843_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, VidarBrowse
                      • 104.192.141.1
                      1Cvd8TyYPm.exeGet hashmaliciousLummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRATBrowse
                      • 104.192.141.1
                      423845.msiGet hashmaliciousUnknownBrowse
                      • 104.192.141.1
                      423845.msiGet hashmaliciousUnknownBrowse
                      • 104.192.141.1
                      hsRju5CPK2.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRATBrowse
                      • 104.192.141.1
                      YlluVjKozT.exeGet hashmaliciousLummaCBrowse
                      • 104.192.141.1
                      AaSwePhLEn.exeGet hashmaliciousRHADAMANTHYSBrowse
                      • 104.192.141.1
                      SecuriteInfo.com.Win32.DropperX-gen.2332.10313.exeGet hashmaliciousLummaCBrowse
                      • 104.192.141.1
                      nF54KOU30R.exeGet hashmaliciousRHADAMANTHYSBrowse
                      • 104.192.141.1

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNL1Vkf7silOj.exeGet hashmaliciousLummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, StealcBrowse
                      • 185.215.113.67
                      hsRju5CPK2.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRATBrowse
                      • 185.215.113.67
                      mCTacyNuyM.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                      • 185.215.113.67
                      yWny5Jds8b.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                      • 185.215.113.67
                      file.exeGet hashmaliciousLummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoaderBrowse
                      • 185.215.113.67
                      setup.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                      • 185.215.113.67
                      setup.exeGet hashmaliciousPython Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                      • 185.215.113.67
                      http://185.215.113.31:84/api/Get hashmaliciousUnknownBrowse
                      • 185.215.113.31
                      4TzzRzv0Hs.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                      • 185.215.113.67
                      KmhrN2q5ZO.exeGet hashmaliciousPython Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, zgRATBrowse
                      • 185.215.113.67
                      AMAZON-02UShttp://pub-ab9522f1c3a9451fb5bf68fa1c6bcfca.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                      • 18.192.94.96
                      http://pub-893c14dc386a432a9e359033c230e2e4.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                      • 35.156.224.161
                      https://www.exactcollisionllc.com/Get hashmaliciousUnknownBrowse
                      • 54.150.37.130
                      1719859269.0326595_setup.exeGet hashmaliciousLummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, XmrigBrowse
                      • 104.192.141.1
                      http://pub-e23528cbdea642ddb1c88fd0d29e30b5.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                      • 35.156.224.161
                      http://sites.google.com/l0gin-microsoftwebonlne.app/867487/Get hashmaliciousUnknownBrowse
                      • 13.32.121.19
                      http://sites.google.com/l0gin-microsoftwebonlne.app/867487/Get hashmaliciousUnknownBrowse
                      • 18.153.4.44
                      http://sites.google.com/l0gin-microsoftwebonlne.app/867487/Get hashmaliciousUnknownBrowse
                      • 13.32.121.19
                      http://www.midoregon.comGet hashmaliciousUnknownBrowse
                      • 18.239.69.49
                      https://t.apemail.net/c/nqkqiuydkvjvgaqbdiaqcvagdibq6dyhdihaaaihdjlfiayfa5laivksb5kaifi3audqmdycaibrwaabaadqmbagaynq4byoaedqeaipamnqogyvpf3bkgyvafkambqpkikwu-nqdbwfkcivnrkgyvpf3bkgygamaa4bqedmcagbahdmcqabqaaicqagygaeaqobyoaunqkbygb4baeay3aubq6dyaaacqmgyvarjqgvktkmbacgqbafkamgqdb4hqogqoaaaqogswkqbqkb2warkved2uaqkrwdqhbyaqoaqbb4brwflqivle4rcdlbmvef3yi5jfsf37lbbeiuqxpzmucxsdkzbv4wczc4nbo7kclelqmdyxcelv2qszaubboh3gijpfixaxmrjfsuy6cunrkyk6kjaboz2flbdverkdjykrwaabaadqmbagaynrkx2dinduidiydbcveqksi5pe6gkulbnbqvsakjcvqascdbcqgbcgaiauggk7innfwfi3incueuq3aabaegyvpf3bkg2zijnvwg2zijnvwg2zijnvwg2zijnvwgyvafkambqpkikwuGet hashmaliciousUnknownBrowse
                      • 34.214.48.95

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      3b5074b1b5d032e5620f69f9f700ff0ehttp://pub-893c14dc386a432a9e359033c230e2e4.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                      • 104.192.141.1
                      http://nvbvnco.com/9EBS7MZK4HT3FKQCINV8CO6YFH/loginGet hashmaliciousUnknownBrowse
                      • 104.192.141.1
                      https://www.exactcollisionllc.com/Get hashmaliciousUnknownBrowse
                      • 104.192.141.1
                      http://sites.google.com/l0gin-microsoftwebonlne.app/867487/Get hashmaliciousUnknownBrowse
                      • 104.192.141.1
                      https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08Get hashmaliciousUnknownBrowse
                      • 104.192.141.1
                      https://renesolapower-my.sharepoint.com/:f:/g/personal/jake_snow_emeren_com/EulAj07H75ZBrOaSqkq0rR8B6BicsAGsyDN8UAJBmcaOlg?e=5%3auGpGuJ&at=9Get hashmaliciousHTMLPhisherBrowse
                      • 104.192.141.1
                      MOD_200.pdf.lnkGet hashmaliciousArc StealerBrowse
                      • 104.192.141.1
                      GkYUK8VCrO.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • 104.192.141.1
                      https://forms.promo-pharmacies.gr/6659c951cdd608959f27a77dGet hashmaliciousUnknownBrowse
                      • 104.192.141.1
                      http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDd8ji5dO-2BtGjFwdkKxtwV-2BT-2FIDZLBFuspWHIOxNeRRYzjnPYwPcANsM7g6bBF5Eb-2FtBeYO84se-2BxM2-2FftOX61g3tKjw4-2BmFTEe65zPmmIV01t1qMegNLN27WQA4-2BWSzp8Exonts6yxo7jLDqmXJMwdw-3DSDkl_fylF09WDx4VRLHs1TE6by-2Fm24mY0V6PaWh-2BQeqn0Ay-2FMm-2FGvFUfwxkNWNqnFtCc1bg3RDtukBd6YTikFNr9njJPj8fPjtMTy7wESEphTN1Xt33p1RcATr-2Faa6esQ5neBHfE9PchIfWN2pGu-2FDyTo9jBl7IxKpEon9SyD5nvMkxE22jB5lqUsSt3NSAbiAi6xLdjPQNgUE2zZRGhN5aAjyw-3D-3DGet hashmaliciousHTMLPhisherBrowse
                      • 104.192.141.1

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log

                      Download File
                      Process:C:\Users\user\Desktop\setup.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):3094
                      Entropy (8bit):5.33145931749415
                      Encrypted:false
                      SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                      MD5:3FD5C0634443FB2EF2796B9636159CB6
                      SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                      SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                      SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                      Malicious:true
                      Reputation:high, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):5.030912824090733
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      File name:setup.exe
                      File size:304'128 bytes
                      MD5:9ab4de8b2f2b99f009d32aa790cd091b
                      SHA1:a86b16ee4676850bac14c50ee698a39454d0231e
                      SHA256:8a254344702dc6560312a8028e08f844b16804b1fbf4c438c3ca5058d7b65ea1
                      SHA512:a79341ec3407529daa0384de4cac25b665d3b0cb81e52ecada0ebfe37d7616b16da96b47b04f50ce0a6e46d5fced3298a459f78a087c6b6eac4ed444434c5fbe
                      SSDEEP:3072:KqFFrqwIOGTNyHESF9D4XpeSQ2BXUhdT5TZboHIrcZqf7D34NeqiOLCbBO1:JBIOG6CpcdlTZEmcZqf7DI3L
                      TLSH:55545B1833E89911E67F4B79D470D67093B4EC12A853E31E5ED0AC6B3D36B80EA156F2
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r................0.................. ........@.. ....................................@................................

                      File Icon

                      Icon Hash:4d8ea38d85a38e6d

                      Static PE Info

                      General

                      Entrypoint:0x429fd6
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0xF7A57283 [Tue Aug 30 03:18:27 2101 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      popad
                      add byte ptr [ebp+00h], dh
                      je 00007FCD091AEBB2h
                      outsd
                      add byte ptr [esi+00h], ah
                      imul eax, dword ptr [eax], 006C006Ch
                      xor eax, 59007400h
                      add byte ptr [edi+00h], dl
                      push edx
                      add byte ptr [ecx+00h], dh
                      popad
                      add byte ptr [edi+00h], dl
                      push esi
                      add byte ptr [edi+00h], ch
                      popad
                      add byte ptr [ebp+00h], ch
                      push 61006800h
                      add byte ptr [ebp+00h], ch
                      dec edx
                      add byte ptr [eax], bh
                      add byte ptr [edi+00h], dl
                      push edi
                      add byte ptr [ecx], bh
                      add byte ptr [ecx+00h], bh
                      bound eax, dword ptr [eax]
                      xor al, byte ptr [eax]
                      insb
                      add byte ptr [eax+00h], bl
                      pop ecx
                      add byte ptr [edi+00h], dl
                      js 00007FCD091AEBB2h
                      jnc 00007FCD091AEBB2h
                      pop edx
                      add byte ptr [eax+00h], bl
                      push ecx
                      add byte ptr [ebx+00h], cl
                      popad
                      add byte ptr [edi+00h], dl
                      dec edx
                      add byte ptr [ebp+00h], dh
                      pop edx
                      add byte ptr [edi+00h], dl
                      jo 00007FCD091AEBB2h
                      imul eax, dword ptr [eax], 5Ah
                      add byte ptr [ebp+00h], ch
                      jo 00007FCD091AEBB2h
                      je 00007FCD091AEBB2h
                      bound eax, dword ptr [eax]
                      push edi
                      add byte ptr [eax+eax+77h], dh
                      add byte ptr [ecx+00h], bl
                      xor al, byte ptr [eax]
                      xor eax, 63007300h
                      add byte ptr [edi+00h], al
                      push esi
                      add byte ptr [ecx+00h], ch
                      popad
                      add byte ptr [edx], dh
                      add byte ptr [eax+00h], bh
                      je 00007FCD091AEBB2h
                      bound eax, dword ptr [eax]
                      insd
                      add byte ptr [eax+eax+76h], dh
                      add byte ptr [edx+00h], bl
                      push edi
                      add byte ptr [ecx], bh
                      add byte ptr [eax+00h], dh
                      popad
                      add byte ptr [edi+00h], al
                      cmp dword ptr [eax], eax
                      insd
                      add byte ptr [edx+00h], bl
                      push edi
                      add byte ptr [esi+00h], cl
                      cmp byte ptr [eax], al
                      push esi
                      add byte ptr [eax+00h], cl
                      dec edx
                      add byte ptr [esi+00h], dh
                      bound eax, dword ptr [eax]
                      insd
                      add byte ptr [eax+00h], bh
                      jo 00007FCD091AEBB2h
                      bound eax, dword ptr [eax]
                      insd
                      add byte ptr [ebx+00h], dh

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x29f840x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x300000x1c9cc.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x4e0000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x29f680x1c.text
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x2cfbc0x2d00082d866d0f560810ffab6e9b113c57782False0.46188151041666664COM executable for DOS6.170910005273685IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0x300000x1c9cc0x1cc00035e3ef4bdf63ff953b700f04af99b1eFalse0.2372452445652174data2.606019858601282IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x4e0000xc0x400e6bd25deb1dfb4f435fec6e9a203ac41False0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0x301a00x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                      RT_ICON0x33eb40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                      RT_ICON0x446ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                      RT_ICON0x489240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                      RT_ICON0x4aedc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                      RT_ICON0x4bf940x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                      RT_GROUP_ICON0x4c40c0x5adata0.7666666666666667
                      RT_VERSION0x4c4780x352data0.44
                      RT_MANIFEST0x4c7dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      07/02/24-00:25:59.433462TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4970440960192.168.2.5185.215.113.67
                      07/02/24-00:26:14.135474TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4970440960192.168.2.5185.215.113.67
                      07/02/24-00:25:59.726927TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response4096049704185.215.113.67192.168.2.5
                      07/02/24-00:26:05.090960TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)4096049704185.215.113.67192.168.2.5

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 2, 2024 00:25:58.515933037 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:25:58.522825003 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:25:58.522957087 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:25:58.531353951 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:25:58.538383961 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:25:59.369585037 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:25:59.426259041 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:25:59.433461905 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:25:59.440510988 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:25:59.726927042 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:25:59.770016909 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:04.792201996 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:04.798494101 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:05.090960026 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:05.090985060 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:05.090996981 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:05.091007948 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:05.091064930 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:05.091075897 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:05.091140985 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:05.091181040 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:05.289850950 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:05.332488060 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:05.437362909 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:05.442188978 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:05.729949951 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:05.759000063 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:05.763917923 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:06.050570011 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:06.059948921 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:06.064903975 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:06.356098890 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:06.364833117 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:06.369771004 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:06.661211967 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:06.662720919 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:06.667515039 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:06.956017971 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:07.004404068 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:07.070931911 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:07.077930927 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:07.365900040 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:07.410624027 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:07.411303997 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:07.417435884 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:07.710263968 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:07.714270115 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:07.720386982 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.007926941 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.010732889 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:08.017199039 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.303577900 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.306014061 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:08.313028097 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.598989010 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.620445013 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:08.625330925 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.915463924 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.924906015 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:08.929846048 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.929861069 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.929871082 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.930752993 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.930763960 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:08.931552887 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:09.416569948 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:09.457506895 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:10.162373066 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:10.167346954 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:10.454488993 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:10.459857941 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:10.464677095 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:10.752721071 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:10.801254988 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:10.861756086 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:10.866692066 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.153424978 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.207554102 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.234988928 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.242961884 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.242985964 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.243083954 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.243093967 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.243103027 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.243105888 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.243113041 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.243123055 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.243161917 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.243181944 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.243181944 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.243194103 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.243202925 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.243241072 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.243347883 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.248131990 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248148918 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248157978 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248162031 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248179913 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248189926 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248198032 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248207092 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248210907 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248214960 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248219013 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248222113 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248241901 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.248286009 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.248331070 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.248373032 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.252806902 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.252876043 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.252887011 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.252953053 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.253149033 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253160954 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253170967 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253189087 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253197908 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253212929 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253215075 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.253222942 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253247976 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.253248930 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253266096 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.253285885 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253295898 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253442049 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253453016 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253460884 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253469944 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253479004 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253488064 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253496885 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253505945 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253525972 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253535032 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253545046 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253567934 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253595114 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253603935 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253631115 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253639936 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253717899 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253727913 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253762007 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253771067 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253810883 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.253896952 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.257566929 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257577896 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257595062 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257603884 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257644892 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.257651091 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257663012 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257688999 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257689953 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.257699966 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257733107 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257741928 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257782936 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257791996 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.257924080 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258012056 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258023977 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258055925 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258064032 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258090019 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258099079 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258169889 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258178949 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258249044 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258259058 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258323908 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258339882 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258361101 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258369923 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258541107 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258550882 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258558989 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258569002 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258577108 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258585930 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258595943 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258737087 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258745909 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258769035 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258778095 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258789062 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258805037 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.258852005 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258877993 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.258884907 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258897066 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258961916 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258971930 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258980989 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.258989096 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259031057 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259040117 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259047985 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259057045 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259073019 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259082079 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259109974 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259119034 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259145975 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259154081 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259203911 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259212971 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259257078 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259265900 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259301901 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259310961 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259349108 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259406090 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259416103 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259423971 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259448051 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259457111 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259480953 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259514093 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259573936 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259582996 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259609938 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259634018 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259716988 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259726048 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259782076 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259790897 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259851933 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259860992 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259947062 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.259955883 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266262054 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266272068 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266354084 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266362906 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266371965 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266381025 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266447067 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266464949 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266473055 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266490936 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266499996 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266508102 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266518116 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266810894 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.266817093 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.266887903 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.266953945 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267096043 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267105103 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267112970 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267122030 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267209053 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267219067 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267226934 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267323971 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267333984 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267342091 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267350912 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267359018 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267457962 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267467976 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267474890 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267597914 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267606020 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267613888 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267694950 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267704010 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267714024 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267723083 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267730951 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267739058 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267828941 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267838001 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267847061 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267854929 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267968893 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267978907 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267987967 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.267996073 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268096924 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268106937 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268115044 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268122911 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268255949 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268265009 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268273115 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268378019 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268387079 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268394947 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268404007 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268414021 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268421888 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.268686056 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.268754959 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.274661064 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.274677038 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.274698973 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.274703026 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.274712086 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.274719954 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.274738073 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.274748087 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.274756908 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.274765968 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.274893045 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.274902105 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275007963 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275017977 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275024891 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275155067 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275301933 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275310993 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275319099 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275382042 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275391102 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275398970 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275408030 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275417089 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275424957 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275433064 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275527954 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275537014 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275544882 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275686026 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275695086 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275703907 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275712013 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275806904 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275816917 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275825024 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275834084 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275842905 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275851965 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275913954 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275922060 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275929928 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275938988 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275947094 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.275954962 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276055098 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276063919 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276072025 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276081085 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276089907 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276202917 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276211977 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276221037 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276350021 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276621103 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.276678085 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276691914 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276695013 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.276817083 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276828051 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276835918 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276844978 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276922941 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276932001 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276941061 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276949883 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276957989 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276967049 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.276974916 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277023077 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277039051 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277048111 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277055979 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277064085 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277168989 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277179003 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277277946 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277295113 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277303934 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277312040 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277319908 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277328014 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277335882 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277379990 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277389050 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277398109 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277405977 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277416945 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277425051 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277432919 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277441025 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277537107 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277545929 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277554035 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277673006 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277682066 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277690887 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277698994 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277707100 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277801991 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277811050 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277820110 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277828932 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277837038 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277844906 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277940035 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277947903 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277956963 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.277966022 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284612894 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284624100 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284632921 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284641981 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284687042 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284697056 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284712076 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284720898 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284729958 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284738064 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284836054 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284846067 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284854889 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284862995 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284871101 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.284882069 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.284940958 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.284970045 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285131931 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285142899 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285151005 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285160065 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285167933 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285186052 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285195112 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285202980 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285211086 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285219908 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285228014 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285235882 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285243988 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285253048 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285434961 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285444975 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285453081 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285460949 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285469055 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285476923 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285542011 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285551071 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285558939 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285568953 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285577059 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285584927 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285593987 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285602093 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285748005 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285757065 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285764933 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285773993 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285782099 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285792112 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285806894 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285815954 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.285903931 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.292913914 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.292929888 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.292948961 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.292958975 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.292968035 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.292978048 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293019056 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293029070 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293096066 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293106079 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293113947 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293122053 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293128014 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293219090 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293227911 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293231010 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293240070 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.293322086 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.293355942 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293366909 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293380022 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293395996 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293467999 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293478012 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293486118 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293493986 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293600082 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293610096 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293617010 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293623924 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293632030 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293674946 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293684959 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293693066 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293700933 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293709993 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293842077 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293853045 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293859959 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293869019 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293876886 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293967009 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293976068 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.293988943 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.294090986 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.294100046 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.294104099 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.294112921 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.294121027 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.294131041 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.294219017 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.294229031 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.294236898 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.294246912 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.294255018 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.301220894 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.301326990 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.301337004 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.301346064 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.301381111 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.301414013 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.301424026 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.301439047 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.301583052 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.301687002 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.338947058 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:11.342120886 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:11.380996943 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.105151892 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.111295938 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:13.118231058 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.407737970 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.457516909 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:13.480501890 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:13.487032890 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.487056971 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.487071037 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.487082005 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.487092972 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.487103939 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.488603115 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.488621950 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.488636017 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.493650913 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.493673086 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.493705988 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.493786097 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.493798018 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.493809938 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.780337095 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:13.794296980 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:13.800703049 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:14.134182930 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:14.135473967 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:14.140327930 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:14.528063059 CEST4096049704185.215.113.67192.168.2.5
                      Jul 2, 2024 00:26:14.582493067 CEST4970440960192.168.2.5185.215.113.67
                      Jul 2, 2024 00:26:14.747004986 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:14.747044086 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:14.747136116 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:14.777939081 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:14.777970076 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.395850897 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.396083117 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:15.400501013 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:15.400518894 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.400783062 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.442008972 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:15.500078917 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:15.540502071 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.780935049 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.780963898 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.780981064 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.781016111 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.781023979 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:15.781044960 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.781063080 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:15.781105042 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:15.781111002 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.781270981 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:15.872792959 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.872849941 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.872924089 CEST44349705104.192.141.1192.168.2.5
                      Jul 2, 2024 00:26:15.872948885 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:15.873111963 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:15.885185957 CEST49705443192.168.2.5104.192.141.1
                      Jul 2, 2024 00:26:15.966058016 CEST4970440960192.168.2.5185.215.113.67

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 2, 2024 00:26:14.730947971 CEST5311153192.168.2.51.1.1.1
                      Jul 2, 2024 00:26:14.738219976 CEST53531111.1.1.1192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Jul 2, 2024 00:26:14.730947971 CEST192.168.2.51.1.1.10x24b7Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Jul 2, 2024 00:26:14.738219976 CEST1.1.1.1192.168.2.50x24b7No error (0)bitbucket.org104.192.141.1A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • bitbucket.org

                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549705104.192.141.14436184C:\Users\user\Desktop\setup.exe
                      TimestampBytes transferredDirectionData
                      2024-07-01 22:26:15 UTC100OUTGET /tanosx/clockbrix/downloads/prxtag.exe HTTP/1.1
                      Host: bitbucket.org
                      Connection: Keep-Alive
                      2024-07-01 22:26:15 UTC3106INHTTP/1.1 404 Not Found
                      server: envoy
                      x-usage-quota-remaining: 997480.961
                      vary: Accept-Language, Origin, Accept-Encoding
                      x-usage-request-cost: 2563.47
                      Cache-Control: max-age=900
                      Content-Type: text/html; charset=utf-8
                      x-b3-traceid: 608c14562ee70ef5
                      x-usage-output-ops: 0
                      x-used-mesh: False
                      x-dc-location: Micros-3
                      content-security-policy: frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; base-uri 'self'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://d301sr5gafysq2.cloudfront.net/ https://d136azpfpnge1l.cloudfront.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; object-src 'none'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl [TRUNCATED]
                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                      Date: Mon, 01 Jul 2024 22:26:15 GMT
                      x-usage-user-time: 0.071072
                      x-usage-system-time: 0.005832
                      x-served-by: 2648214a29f8
                      x-envoy-upstream-service-time: 168
                      content-language: en
                      x-view-name: bitbucket.apps.downloads.views.download_file
                      x-b3-spanid: 608c14562ee70ef5
                      Accept-Ranges: bytes
                      etag: "6709077854bfefd46974d6979771a73e"
                      x-static-version: a022e62940a9
                      x-render-time: 0.15799331665039062
                      Connection: close
                      x-usage-input-ops: 0
                      x-version: a022e62940a9
                      x-request-count: 2780
                      x-frame-options: SAMEORIGIN
                      X-Cache-Info: caching
                      Content-Length: 23640
                      2024-07-01 22:26:15 UTC13277INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 69 64 3d 22 62 62 2d 62 6f 6f 74 73 74 72 61 70 22 20 64 61 74 61 2d 63 75 72 72 65 6e 74 2d 75 73 65 72 3d 22 7b 26 71 75 6f 74 3b 69 73 41 75 74 68 65 6e 74 69 63 61 74 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 2c 20 26 71 75 6f 74 3b 69 73 4b 62 64 53 68 6f 72 74 63 75 74 73 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 74 72 75 65 2c 20 26 71 75 6f 74 3b 69 73 53 73 68 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 7d 22 0a 0a 0a 20 20 20 20 64 61 74 61 2d 74 61 72 67 65 74 2d 77 6f 72 6b 73 70 61 63 65 2d 75 75 69 64 3d 22 39 61 32 66 33 62 33 63 2d 65 63 32 34 2d 34 64 63 66 2d 38 31 31 34 2d
                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta id="bb-bootstrap" data-current-user="{&quot;isAuthenticated&quot;: false, &quot;isKbdShortcutsEnabled&quot;: true, &quot;isSshEnabled&quot;: false}" data-target-workspace-uuid="9a2f3b3c-ec24-4dcf-8114-
                      2024-07-01 22:26:15 UTC26INData Raw: 69 67 68 6c 69 67 68 74 69 6e 67 22 3a 20 66 61 6c 73 65 2c 20 22 73 79 6e 74
                      Data Ascii: ighlighting": false, "synt
                      2024-07-01 22:26:15 UTC10337INData Raw: 61 78 2d 68 69 67 68 6c 69 67 68 74 69 6e 67 2d 70 6f 70 75 70 22 3a 20 74 72 75 65 2c 20 22 75 73 65 72 2d 63 6f 64 65 2d 6f 77 6e 65 72 73 22 3a 20 66 61 6c 73 65 2c 20 22 63 72 65 61 74 65 2d 77 6f 72 6b 73 70 61 63 65 2d 73 68 6f 77 2d 72 65 63 61 70 74 63 68 61 22 3a 20 74 72 75 65 2c 20 22 70 72 2d 72 65 76 69 65 77 2d 69 6e 66 6f 2d 61 72 63 68 2d 63 68 61 6e 67 65 73 22 3a 20 74 72 75 65 2c 20 22 65 78 74 65 6e 73 69 62 6c 65 2d 6d 65 72 67 65 2d 63 68 65 63 6b 73 2d 65 6e 61 62 6c 65 64 22 3a 20 66 61 6c 73 65 2c 20 22 62 62 63 2d 63 6f 6d 70 61 73 73 2d 78 2d 66 6c 6f 77 2d 75 69 22 3a 20 74 72 75 65 2c 20 22 63 6f 6d 70 61 73 73 2d 69 6e 2d 63 72 6f 73 73 2d 70 72 6f 64 75 63 74 2d 73 65 61 72 63 68 22 3a 20 66 61 6c 73 65 2c 20 22 63 6f 72 65
                      Data Ascii: ax-highlighting-popup": true, "user-code-owners": false, "create-workspace-show-recaptcha": true, "pr-review-info-arch-changes": true, "extensible-merge-checks-enabled": false, "bbc-compass-x-flow-ui": true, "compass-in-cross-product-search": false, "core


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:18:25:56
                      Start date:01/07/2024
                      Path:C:\Users\user\Desktop\setup.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\setup.exe"
                      Imagebase:0xff0000
                      File size:304'128 bytes
                      MD5 hash:9AB4DE8B2F2B99F009D32AA790CD091B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.2017236310.0000000000FF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2203057075.0000000003598000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2203057075.0000000003729000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:7.5%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:92
                        Total number of Limit Nodes:10
                        execution_graph 15335 17c4668 15336 17c4669 15335->15336 15337 17c4696 15336->15337 15341 17c47a0 15336->15341 15346 17c3e10 15337->15346 15342 17c47c5 15341->15342 15350 17c48b0 15342->15350 15354 17c48a1 15342->15354 15347 17c3e1b 15346->15347 15362 17c5c54 15347->15362 15349 17c46b5 15352 17c48d7 15350->15352 15351 17c49b4 15351->15351 15352->15351 15358 17c4248 15352->15358 15356 17c48d7 15354->15356 15355 17c49b4 15355->15355 15356->15355 15357 17c4248 CreateActCtxA 15356->15357 15357->15355 15359 17c5940 CreateActCtxA 15358->15359 15361 17c5a03 15359->15361 15363 17c5c5f 15362->15363 15366 17c5c64 15363->15366 15365 17c709d 15365->15349 15367 17c5c6f 15366->15367 15370 17c5c94 15367->15370 15369 17c717a 15369->15365 15371 17c5c9f 15370->15371 15374 17c5cc4 15371->15374 15373 17c726d 15373->15369 15375 17c5ccf 15374->15375 15377 17c8653 15375->15377 15380 17cad00 15375->15380 15376 17c8691 15376->15373 15377->15376 15384 17ccde0 15377->15384 15389 17cad38 15380->15389 15393 17cad28 15380->15393 15381 17cad16 15381->15377 15385 17cce11 15384->15385 15386 17cce35 15385->15386 15426 17ccfa0 15385->15426 15430 17ccf90 15385->15430 15386->15376 15398 17cae20 15389->15398 15406 17cae30 15389->15406 15390 17cad47 15390->15381 15394 17cad38 15393->15394 15396 17cae30 2 API calls 15394->15396 15397 17cae20 2 API calls 15394->15397 15395 17cad47 15395->15381 15396->15395 15397->15395 15399 17cae41 15398->15399 15400 17cae64 15398->15400 15399->15400 15414 17cb0c8 15399->15414 15418 17cb0b8 15399->15418 15400->15390 15401 17cae5c 15401->15400 15402 17cb068 GetModuleHandleW 15401->15402 15403 17cb095 15402->15403 15403->15390 15407 17cae41 15406->15407 15408 17cae64 15406->15408 15407->15408 15412 17cb0c8 LoadLibraryExW 15407->15412 15413 17cb0b8 LoadLibraryExW 15407->15413 15408->15390 15409 17cae5c 15409->15408 15410 17cb068 GetModuleHandleW 15409->15410 15411 17cb095 15410->15411 15411->15390 15412->15409 15413->15409 15415 17cb0dc 15414->15415 15417 17cb101 15415->15417 15422 17ca870 15415->15422 15417->15401 15419 17cb0dc 15418->15419 15420 17cb101 15419->15420 15421 17ca870 LoadLibraryExW 15419->15421 15420->15401 15421->15420 15423 17cb2a8 LoadLibraryExW 15422->15423 15425 17cb321 15423->15425 15425->15417 15428 17ccfad 15426->15428 15427 17ccfe7 15427->15386 15428->15427 15434 17cc8d8 15428->15434 15432 17ccfad 15430->15432 15431 17ccfe7 15431->15386 15432->15431 15433 17cc8d8 3 API calls 15432->15433 15433->15431 15435 17cc8e3 15434->15435 15437 17cd8f8 15435->15437 15438 17cca04 15435->15438 15437->15437 15439 17cca0f 15438->15439 15440 17c5cc4 3 API calls 15439->15440 15441 17cd967 15440->15441 15441->15437 15442 17cd0b8 15443 17cd0fe GetCurrentProcess 15442->15443 15445 17cd150 GetCurrentThread 15443->15445 15448 17cd149 15443->15448 15446 17cd18d GetCurrentProcess 15445->15446 15447 17cd186 15445->15447 15449 17cd1c3 15446->15449 15447->15446 15448->15445 15450 17cd1eb GetCurrentThreadId 15449->15450 15451 17cd21c 15450->15451 15452 17cd300 DuplicateHandle 15453 17cd396 15452->15453

                        Executed Functions

                        Function 017CD0A8 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 294 17cd0a8-17cd147 GetCurrentProcess 298 17cd149-17cd14f 294->298 299 17cd150-17cd184 GetCurrentThread 294->299 298->299 300 17cd18d-17cd1c1 GetCurrentProcess 299->300 301 17cd186-17cd18c 299->301 303 17cd1ca-17cd1e5 call 17cd289 300->303 304 17cd1c3-17cd1c9 300->304 301->300 307 17cd1eb-17cd21a GetCurrentThreadId 303->307 304->303 308 17cd21c-17cd222 307->308 309 17cd223-17cd285 307->309 308->309
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 017CD136
                        • GetCurrentThread.KERNEL32 ref: 017CD173
                        • GetCurrentProcess.KERNEL32 ref: 017CD1B0
                        • GetCurrentThreadId.KERNEL32 ref: 017CD209
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202716721.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_17c0000_setup.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 163bc7353bb5cc35d1141d19a11c48af3e3d83f7cbf3c9013aa3d5c51825baee
                        • Instruction ID: 3a87b0d0fae263f1d6470dbb30375638627a7bbed0c141449572064b0e972b3c
                        • Opcode Fuzzy Hash: 163bc7353bb5cc35d1141d19a11c48af3e3d83f7cbf3c9013aa3d5c51825baee
                        • Instruction Fuzzy Hash: E55158B09012498FDB14DFAAD548BAEFFF1EF88304F20846EE419AB290D7345944CB65
                        Function 017CD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 316 17cd0b8-17cd147 GetCurrentProcess 320 17cd149-17cd14f 316->320 321 17cd150-17cd184 GetCurrentThread 316->321 320->321 322 17cd18d-17cd1c1 GetCurrentProcess 321->322 323 17cd186-17cd18c 321->323 325 17cd1ca-17cd1e5 call 17cd289 322->325 326 17cd1c3-17cd1c9 322->326 323->322 329 17cd1eb-17cd21a GetCurrentThreadId 325->329 326->325 330 17cd21c-17cd222 329->330 331 17cd223-17cd285 329->331 330->331
                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 017CD136
                        • GetCurrentThread.KERNEL32 ref: 017CD173
                        • GetCurrentProcess.KERNEL32 ref: 017CD1B0
                        • GetCurrentThreadId.KERNEL32 ref: 017CD209
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202716721.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_17c0000_setup.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: b4d8948cfa435d0f82dffc8eba7da7f11d7c5286faab7c9e7ea10ce2c16371a7
                        • Instruction ID: c3a6a2333b14c61850c136b1adf42b27d36ac064d4b1c6d4a71e7f04fe3bb07b
                        • Opcode Fuzzy Hash: b4d8948cfa435d0f82dffc8eba7da7f11d7c5286faab7c9e7ea10ce2c16371a7
                        • Instruction Fuzzy Hash: 695138B09012098FDB14DFAAD948B9EFBF1EF88314F20846DE519A7390D7345984CB65
                        Function 017CAE30 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 360 17cae30-17cae3f 361 17cae6b-17cae6f 360->361 362 17cae41-17cae4e call 17c9838 360->362 363 17cae71-17cae7b 361->363 364 17cae83-17caec4 361->364 369 17cae64 362->369 370 17cae50 362->370 363->364 371 17caec6-17caece 364->371 372 17caed1-17caedf 364->372 369->361 417 17cae56 call 17cb0c8 370->417 418 17cae56 call 17cb0b8 370->418 371->372 373 17caee1-17caee6 372->373 374 17caf03-17caf05 372->374 377 17caee8-17caeef call 17ca814 373->377 378 17caef1 373->378 376 17caf08-17caf0f 374->376 375 17cae5c-17cae5e 375->369 379 17cafa0-17cafb7 375->379 380 17caf1c-17caf23 376->380 381 17caf11-17caf19 376->381 383 17caef3-17caf01 377->383 378->383 393 17cafb9-17cb018 379->393 384 17caf25-17caf2d 380->384 385 17caf30-17caf39 call 17ca824 380->385 381->380 383->376 384->385 391 17caf3b-17caf43 385->391 392 17caf46-17caf4b 385->392 391->392 394 17caf4d-17caf54 392->394 395 17caf69-17caf76 392->395 411 17cb01a-17cb060 393->411 394->395 396 17caf56-17caf66 call 17ca834 call 17ca844 394->396 400 17caf78-17caf96 395->400 401 17caf99-17caf9f 395->401 396->395 400->401 412 17cb068-17cb093 GetModuleHandleW 411->412 413 17cb062-17cb065 411->413 414 17cb09c-17cb0b0 412->414 415 17cb095-17cb09b 412->415 413->412 415->414 417->375 418->375
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000), ref: 017CB086
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202716721.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_17c0000_setup.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 55e3e01f6c88048c82dcb753a4a2b4dcfdfb0a8ca077d9819f26fbd55001e4ca
                        • Instruction ID: 3c0a663dae6a664b3cfaa68c3a7d0693953df9d5d3e6a84049164e9a1e17c367
                        • Opcode Fuzzy Hash: 55e3e01f6c88048c82dcb753a4a2b4dcfdfb0a8ca077d9819f26fbd55001e4ca
                        • Instruction Fuzzy Hash: 0B7123B0A00B0A8FD724DF29D54575ABBF1FF88701F10892DE58A97A80E774E845CB91
                        Function 017C5935 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 419 17c5935-17c5a01 CreateActCtxA 421 17c5a0a-17c5a64 419->421 422 17c5a03-17c5a09 419->422 429 17c5a66-17c5a69 421->429 430 17c5a73-17c5a77 421->430 422->421 429->430 431 17c5a88 430->431 432 17c5a79-17c5a85 430->432 434 17c5a89 431->434 432->431 434->434
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 017C59F1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202716721.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_17c0000_setup.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: b263915e2d26dfce421d8be3b804c4de5b9ab1d9d0b82f27331c3d305ae8b897
                        • Instruction ID: 61f3db9521afbbe195da302b187a6a2d3db2eeee09d79add79348789620cf64a
                        • Opcode Fuzzy Hash: b263915e2d26dfce421d8be3b804c4de5b9ab1d9d0b82f27331c3d305ae8b897
                        • Instruction Fuzzy Hash: 0B41CEB0D00619CEDB24CFAAC888ADDBBB5FF49704F20815AD408AB251DB756945CF91
                        Function 017C4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 435 17c4248-17c5a01 CreateActCtxA 438 17c5a0a-17c5a64 435->438 439 17c5a03-17c5a09 435->439 446 17c5a66-17c5a69 438->446 447 17c5a73-17c5a77 438->447 439->438 446->447 448 17c5a88 447->448 449 17c5a79-17c5a85 447->449 451 17c5a89 448->451 449->448 451->451
                        APIs
                        • CreateActCtxA.KERNEL32(?), ref: 017C59F1
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202716721.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_17c0000_setup.jbxd
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 41e3304cc9088b600ddc2d74ab0d0adb3a207e15029b50b6c725e3b75dd7f669
                        • Instruction ID: c0e3d002d361db39e2bb91b2924845da333e970368dadc6210fc58c68e2ff47d
                        • Opcode Fuzzy Hash: 41e3304cc9088b600ddc2d74ab0d0adb3a207e15029b50b6c725e3b75dd7f669
                        • Instruction Fuzzy Hash: 6E41BCB0D00719CADB24CFAAC884B9DFBB5FF49704F60816ED408AB251DB756949CF91
                        Function 017CD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 452 17cd300-17cd394 DuplicateHandle 453 17cd39d-17cd3ba 452->453 454 17cd396-17cd39c 452->454 454->453
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CD387
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202716721.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_17c0000_setup.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: b05d874bb664866a4151c724e2c0f801b4f2a5814a60ce9658e9709360150a28
                        • Instruction ID: c265a9499ecffc5b3e269346b7b6b1f4b45eabe952ba47c26263ddb0317a75f9
                        • Opcode Fuzzy Hash: b05d874bb664866a4151c724e2c0f801b4f2a5814a60ce9658e9709360150a28
                        • Instruction Fuzzy Hash: 1E21B0B5D00249DFDB10CFAAD984ADEFBF8EB48310F14842AE918A3250D374A954CFA5
                        Function 017CD2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 457 17cd2f9-17cd394 DuplicateHandle 458 17cd39d-17cd3ba 457->458 459 17cd396-17cd39c 457->459 459->458
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CD387
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202716721.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_17c0000_setup.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: d07cdda4d374021469e0a51f5250f2a52ec7688faa61e67fdd15b53867e469b8
                        • Instruction ID: d17d269344706ca4592cc8cb2185cc7c57ec52f53adcac667e77c97fe63d45bd
                        • Opcode Fuzzy Hash: d07cdda4d374021469e0a51f5250f2a52ec7688faa61e67fdd15b53867e469b8
                        • Instruction Fuzzy Hash: 4321E0B5D00249DFDB10CFA9D585AEEFBF4EB48310F14842AE918A7210C378A954CFA5
                        Function 017CA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 462 17ca870-17cb2e8 464 17cb2ea-17cb2ed 462->464 465 17cb2f0-17cb31f LoadLibraryExW 462->465 464->465 466 17cb328-17cb345 465->466 467 17cb321-17cb327 465->467 467->466
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,017CB101,00000800,00000000,00000000), ref: 017CB312
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202716721.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_17c0000_setup.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 9792165795bd27ddb6154a9516939627ed28ded55e69713f730b17b2de5ec212
                        • Instruction ID: 0143d3504d741d984274e3befcab59f05530ad9816afdc3c56811eb1a7feccf5
                        • Opcode Fuzzy Hash: 9792165795bd27ddb6154a9516939627ed28ded55e69713f730b17b2de5ec212
                        • Instruction Fuzzy Hash: 911123B6C043498FDB10CF9AC445ADEFBF8EB88711F10842EE929A7200C374A545CFA5
                        Function 017CB2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 470 17cb2a0-17cb2e8 471 17cb2ea-17cb2ed 470->471 472 17cb2f0-17cb31f LoadLibraryExW 470->472 471->472 473 17cb328-17cb345 472->473 474 17cb321-17cb327 472->474 474->473
                        APIs
                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,017CB101,00000800,00000000,00000000), ref: 017CB312
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202716721.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_17c0000_setup.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 3576f931b2f6fd8a9ae5b6235a822b8252067754d76918155800e1930757f667
                        • Instruction ID: 141ce6984c282ec33ebef7ad15cca67c9fa6851cd5879e4c324baa6fddfc352a
                        • Opcode Fuzzy Hash: 3576f931b2f6fd8a9ae5b6235a822b8252067754d76918155800e1930757f667
                        • Instruction Fuzzy Hash: E11112B6C002498FDB14CF9AD845ADEFBF4EB88710F14842EE929A7200C375A545CFA5
                        Function 017CB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 477 17cb020-17cb060 478 17cb068-17cb093 GetModuleHandleW 477->478 479 17cb062-17cb065 477->479 480 17cb09c-17cb0b0 478->480 481 17cb095-17cb09b 478->481 479->478 481->480
                        APIs
                        • GetModuleHandleW.KERNEL32(00000000), ref: 017CB086
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202716721.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_17c0000_setup.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: 0663f39fe010a0d3e3be7d41e5e50c44db95e618951cf1fe22b0b3c66aa7d9c3
                        • Instruction ID: 4a5163c8e773da1bc2f4bb40beabd5482f83063ea95531be5c86855bf1cb6ee6
                        • Opcode Fuzzy Hash: 0663f39fe010a0d3e3be7d41e5e50c44db95e618951cf1fe22b0b3c66aa7d9c3
                        • Instruction Fuzzy Hash: 6F11CDB5C003498BDB20CFAAD444A9EFBF4EB89710F10842ED929B7210C375A545CFA5
                        Function 0171D01C Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202526082.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_171d000_setup.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d4dd2e8d605a0611b2c6493ae56c3467a8992b99c5b7449f35831c8096f55b98
                        • Instruction ID: 197a3a7c2cd3ab95236d4c5590b117fa11a45e5ddfc9e2dc7f411dd7255d8f4b
                        • Opcode Fuzzy Hash: d4dd2e8d605a0611b2c6493ae56c3467a8992b99c5b7449f35831c8096f55b98
                        • Instruction Fuzzy Hash: 7A2125B5604200DFDB25CF5CD9C8B16FB65EB84314F24C5ADD8090B24AC33AD407CA61
                        Function 0171D017 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202526082.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_171d000_setup.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ceaa2076b78b8c29f23d7ab96818cb6a7f4ac37cd70125bea6beef1086980b70
                        • Instruction ID: b6fc420ae336557d04ab2cc97f4781faaf4e7604ff0a44df13123de78af457d9
                        • Opcode Fuzzy Hash: ceaa2076b78b8c29f23d7ab96818cb6a7f4ac37cd70125bea6beef1086980b70
                        • Instruction Fuzzy Hash: B911BE75504280CFDB12CF58D5C8B15FB61FB44314F24C6AAD8494B65AC33AD44ACF62

                        Non-executed Functions

                        Function 017CDC74 Relevance: .3, Instructions: 264COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2202716721.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_17c0000_setup.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 278e9450a7fc1d5dcd5da0c7c83fbae0dae569b3b1cb2beed9618fd6373ea64d
                        • Instruction ID: cd5afb9032f6e671f571f4a843e0005a1269745452b2e1f7ad1b60b8c2df5ae1
                        • Opcode Fuzzy Hash: 278e9450a7fc1d5dcd5da0c7c83fbae0dae569b3b1cb2beed9618fd6373ea64d
                        • Instruction Fuzzy Hash: 19A15C36E002068FCF15DFB8C84459EFBB2FF84700B15456EE905AB265DB75EA45CB80