Edit tour

Windows Analysis Report
x4UbCbpqkP.exe

Overview

General Information

Sample name:	x4UbCbpqkP.exe renamed because original name is a hash value
Original sample name:	187049e720e9545fc7c567f85ee870ec.exe
Analysis ID:	1465934
MD5:	187049e720e9545fc7c567f85ee870ec
SHA1:	1fd8edb9da446de7c24d633b10ca6a4c03c9499f
SHA256:	6ad54ede2fb8a622eb23f83ccce4138aee91178b62183999cca5a0f4fb3b0d93
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RedLine Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

x4UbCbpqkP.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\x4UbCbpqkP.exe" MD5: 187049E720E9545FC7C567F85EE870EC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["144.172.122.232:20131"], "Authorization Header": "70183f61f1e913a8ca5013414de9717c"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
x4UbCbpqkP.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1623610747.00000000009F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: x4UbCbpqkP.exe PID: 6860	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: x4UbCbpqkP.exe PID: 6860	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.x4UbCbpqkP.exe.9f0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Snort Signatures

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 144.172.122.232 - Destination IP: 192.168.2.4

Timestamp:	07/02/24-09:21:53.677511
SID:	2043234
Source Port:	20131
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.4 - Destination IP: 144.172.122.232

Timestamp:	07/02/24-09:21:53.492903
SID:	2046045
Source Port:	49730
Destination Port:	20131
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) - Source IP: 144.172.122.232 - Destination IP: 192.168.2.4

Timestamp:	07/02/24-09:21:59.015305
SID:	2046056
Source Port:	20131
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.4 - Destination IP: 144.172.122.232

Timestamp:	07/02/24-09:22:04.858085
SID:	2043231
Source Port:	49730
Destination Port:	20131
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: x4UbCbpqkP.exe

Avira: detected

Found malware configuration

Source: x4UbCbpqkP.exe

Malware Configuration Extractor: RedLine {"C2 url": ["144.172.122.232:20131"], "Authorization Header": "70183f61f1e913a8ca5013414de9717c"}

Multi AV Scanner detection for submitted file

Source: x4UbCbpqkP.exe	ReversingLabs: Detection: 79%
Source: x4UbCbpqkP.exe	Virustotal: Detection: 68%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: x4UbCbpqkP.exe

Joe Sandbox ML: detected

Source: x4UbCbpqkP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: x4UbCbpqkP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 4x nop then jmp 06DD5C68h	0_2_06DD5770
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 4x nop then jmp 06DD3863h	0_2_06DD35A0
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 4x nop then jmp 06DD116Fh	0_2_06DD0A10
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 4x nop then jmp 0724891Ah	0_2_072484F8
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 4x nop then jmp 07248D9Ah	0_2_072484F8
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 4x nop then jmp 072402F1h	0_2_07240040

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 144.172.122.232:20131
Source: Traffic	Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 144.172.122.232:20131
Source: Traffic	Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 144.172.122.232:20131 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 144.172.122.232:20131 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 144.172.122.232:20131

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 144.172.122.232:20131

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232
Source: unknown	TCP traffic detected without corresponding DNS query: 144.172.122.232

Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000307B000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000307B000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000307B000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: x4UbCbpqkP.exe	String found in binary or memory: https://api.ip.sb/ip
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_051BDC74	0_2_051BDC74
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD5770	0_2_06DD5770
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD7580	0_2_06DD7580
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD82C8	0_2_06DD82C8
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD0040	0_2_06DD0040
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DDCE68	0_2_06DDCE68
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD0A10	0_2_06DD0A10
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD3BE0	0_2_06DD3BE0
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD2778	0_2_06DD2778
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD2768	0_2_06DD2768
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD1470	0_2_06DD1470
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD1462	0_2_06DD1462
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD1E68	0_2_06DD1E68
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD1E2F	0_2_06DD1E2F
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_072484F8	0_2_072484F8
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_0724AF48	0_2_0724AF48
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_072484F5	0_2_072484F5
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_07240006	0_2_07240006
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_07240040	0_2_07240040
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_07246A28	0_2_07246A28
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_07246A19	0_2_07246A19

Source: x4UbCbpqkP.exe, 00000000.00000000.1623635495.0000000000A31000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBanted.exe8 vs x4UbCbpqkP.exe
Source: x4UbCbpqkP.exe, 00000000.00000002.1756450889.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs x4UbCbpqkP.exe
Source: x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs x4UbCbpqkP.exe
Source: x4UbCbpqkP.exe	Binary or memory string: OriginalFilenameBanted.exe8 vs x4UbCbpqkP.exe

Source: x4UbCbpqkP.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

File created: C:\Users\user\AppData\Local\SystemCache

Jump to behavior

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

Mutant created: NULL

Source: x4UbCbpqkP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: x4UbCbpqkP.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: x4UbCbpqkP.exe	ReversingLabs: Detection: 79%
Source: x4UbCbpqkP.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32

Jump to behavior

Source: x4UbCbpqkP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: x4UbCbpqkP.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: x4UbCbpqkP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: x4UbCbpqkP.exe

Static PE information: 0xF14EB231 [Wed Apr 16 06:01:21 2098 UTC]

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD2310 push es; ret		0_2_06DD2320
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Code function: 0_2_06DD5F13 push edx; iretd		0_2_06DD5F1F

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Memory allocated: 2B70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Window / User API: threadDelayed 908			Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Window / User API: threadDelayed 3070			Jump to behavior

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe TID: 7180	Thread sleep time: -9223372036854770s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe TID: 6212	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: x4UbCbpqkP.exe, 00000000.00000002.1756607563.000000000102B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

Code function: 0_2_06DD3BE0 LdrInitializeThunk,

0_2_06DD3BE0

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Users\user\Desktop\x4UbCbpqkP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: x4UbCbpqkP.exe, 00000000.00000002.1762209976.0000000006A30000.00000004.00000020.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1756607563.000000000102B000.00000004.00000020.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1763176040.0000000006E07000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: x4UbCbpqkP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.x4UbCbpqkP.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1623610747.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x4UbCbpqkP.exe PID: 6860, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\x4UbCbpqkP.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x4UbCbpqkP.exe PID: 6860, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: x4UbCbpqkP.exe, type: SAMPLE
Source: Yara match	File source: 0.0.x4UbCbpqkP.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1623610747.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x4UbCbpqkP.exe PID: 6860, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
x4UbCbpqkP.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
x4UbCbpqkP.exe	69%	Virustotal		Browse
x4UbCbpqkP.exe	100%	Avira	HEUR/AGEN.1307407
x4UbCbpqkP.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
bg.microsoft.map.fastly.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://tempuri.org/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14ResponseD	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	Virustotal		Browse
http://tempuri.org/Entity/Id23ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id12Response	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14ResponseD	2%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	Virustotal		Browse
http://tempuri.org/Entity/Id21Response	4%	Virustotal		Browse
http://tempuri.org/Entity/Id2Response	2%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	0%	Virustotal		Browse
http://tempuri.org/Entity/Id9	3%	Virustotal		Browse
http://tempuri.org/Entity/Id12Response	2%	Virustotal		Browse
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	Virustotal		Browse
http://tempuri.org/Entity/Id23ResponseD	1%	Virustotal		Browse
http://tempuri.org/Entity/Id21Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id4	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id7	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	0%	Virustotal		Browse
http://tempuri.org/Entity/Id8	1%	Virustotal		Browse
http://tempuri.org/Entity/Id6ResponseD	1%	Virustotal		Browse
http://tempuri.org/Entity/Id19Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id7	1%	Virustotal		Browse
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id4	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	Virustotal		Browse
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	0%	Virustotal		Browse
http://tempuri.org/Entity/Id19Response	2%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	0%	Virustotal		Browse
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13ResponseD	1%	Virustotal		Browse
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	Virustotal		Browse
http://tempuri.org/Entity/Id6	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	Virustotal		Browse
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15Response	2%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/04/sc	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	0%	Virustotal		Browse
http://tempuri.org/Entity/Id5ResponseD	2%	Virustotal		Browse
http://tempuri.org/Entity/Id1ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6Response	2%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1ResponseD	1%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	0%	Virustotal		Browse
http://tempuri.org/Entity/Id20	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/sc	0%	Virustotal		Browse
http://tempuri.org/Entity/Id21	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24Response	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
144.172.122.232:20131	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14ResponseD	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23ResponseD	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000307B000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id9	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6ResponseD	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id4	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id7	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13ResponseD	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5ResponseD	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb/ip	x4UbCbpqkP.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id1ResponseD	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id9Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id20	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	x4UbCbpqkP.exe, 00000000.00000002.1757033587.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000333A000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000341F000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000003389000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21ResponseD	x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000307B000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10ResponseD	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id17	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id18	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15ResponseD	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11ResponseD	x4UbCbpqkP.exe, 00000000.00000002.1757033587.000000000307B000.00000004.00000800.00020000.00000000.sdmp, x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8Response	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id17ResponseD	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002E57000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	x4UbCbpqkP.exe, 00000000.00000002.1757033587.0000000002D71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
144.172.122.232	unknown	United States		9009	M247GB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465934
Start date and time:	2024-07-02 09:21:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	x4UbCbpqkP.exe renamed because original name is a hash value
Original Sample Name:	187049e720e9545fc7c567f85ee870ec.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 29 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:22:01	API Interceptor	21x Sleep call for process: x4UbCbpqkP.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CxFHH8i5A3U7lzl-2BTzhlR6ei7mav1762I-2BKvT-2Fk6a5kJfjpj9RJPK9q48Ck5mSzSlgwV-2BsscO5sphM5t-2BVSr5yuCYcPokWOxF7VJFLVcuGxe55FXxdx2OWqy1uhpoEHKlprCsCZc7-2FzwTpK7gWkfISgE1dm3DNZag7jRcJoAY96XjRqTOiYZpVCYj4WczYZatXIFKlGImVUX-2BtzacIIXUkQ-3D-3Dxdxc_PRiWw-2BWerOwUL-2FYAA-2FiwxOm-2BJW3ubqhGFJ5iVqhmG217gfj9KgzNOSRNluvFvYbWIHUd-2ByAsKYpybXBhPgqT-2F1WfaNjyxdi-2FNqxuKfkiep8TocNXSydFj2bAYBLtB5MEDItgpH6g-2FV3171HTXrzYHtaSp7MB2B8WILdzxuyybTMsChhP3QdW9m4oU0X1zagLaXiyfnb7qkeR5CYT3FajfA-3D-3D	Get hash	malicious	Unknown	Browse	199.232.214.172
	Payment_Confirmation_Receipts.vbs	Get hash	malicious	GuLoader	Browse	199.232.210.172
	New Sample Request.scr.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	KWOTASIE.exe	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	Payment Confirmation.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.210.172
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	199.232.214.172
	Revised Invoice 7389293.vbs	Get hash	malicious	GuLoader, Remcos	Browse	199.232.210.172
	http://differentia.ru	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://docs.google.com/forms/d/e/1FAIpQLSdxwlJ42E7IP7P7FI5J10LvcZM2xU4rjZus8shJYViiMODIbA/viewform?pli=1	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://polyfill.io/	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	Maersk_BL_Invoice_Packinglist.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.198
	Revised Invoice 7389293.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.198
	8hd98EhtIFcYkb8.exe	Get hash	malicious	FormBook	Browse	38.207.19.49
	DHL Shipping Document Awb & BL.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	invoice-72717953897646054572255005658360083176291774189023-quiltercheviot.pdf	Get hash	malicious	HTMLPhisher	Browse	38.132.122.254
	Maersk_BL_Invoice_Packinglist.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194
	BviOG97ArX.elf	Get hash	malicious	Mirai, Moobot	Browse	173.211.86.129
	DCwYFBy6z7.elf	Get hash	malicious	Mirai, Moobot	Browse	38.204.196.215
	DHL Shipping Invoice & Awb8289djuejeeoffffdelivery.vbs	Get hash	malicious	GuLoader, Remcos	Browse	206.123.148.194

Process:	C:\Users\user\Desktop\x4UbCbpqkP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3094
Entropy (8bit):	5.33145931749415
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
MD5:	3FD5C0634443FB2EF2796B9636159CB6
SHA1:	366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
SHA-256:	58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
SHA-512:	8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.809458973082986
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	x4UbCbpqkP.exe
File size:	292'864 bytes
MD5:	187049e720e9545fc7c567f85ee870ec
SHA1:	1fd8edb9da446de7c24d633b10ca6a4c03c9499f
SHA256:	6ad54ede2fb8a622eb23f83ccce4138aee91178b62183999cca5a0f4fb3b0d93
SHA512:	ae8f75b7bfe61bb5251fe20d5ac69c9d1140539e17df11f05f1665b57844ee68a288ba1f8e2791830785baed916fae7a0599506a530f8f7ca4f4d3f393b8d403
SSDEEP:	3072:4qFFrqwIOGBHy9MGSwTca9G2f6ZkOEhdIVLZ0fHIOcZqf7D34yyCbBOr:LBIOGfardaLZifcZqf7DIyy
TLSH:	4D543A2873D8C911E53E4B79D471D6B093B0ED12A817E35B5ED07CAB3D36B40EA11AB2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.N...............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	0f0179d4d479038f

Static PE Info

General

Entrypoint:	0x429fc2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF14EB231 [Wed Apr 16 06:01:21 2098 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
popad
add byte ptr [ebp+00h], dh
je 00007F19E9105FD2h
outsd
add byte ptr [esi+00h], ah
imul eax, dword ptr [eax], 006C006Ch
xor eax, 59007400h
add byte ptr [edi+00h], dl
push edx
add byte ptr [ecx+00h], dh
popad
add byte ptr [edi+00h], dl
push esi
add byte ptr [edi+00h], ch
popad
add byte ptr [ebp+00h], ch
push 61006800h
add byte ptr [ebp+00h], ch
dec edx
add byte ptr [eax], bh
add byte ptr [edi+00h], dl
push edi
add byte ptr [ecx], bh
add byte ptr [ecx+00h], bh
bound eax, dword ptr [eax]
xor al, byte ptr [eax]
insb
add byte ptr [eax+00h], bl
pop ecx
add byte ptr [edi+00h], dl
js 00007F19E9105FD2h
jnc 00007F19E9105FD2h
pop edx
add byte ptr [eax+00h], bl
push ecx
add byte ptr [ebx+00h], cl
popad
add byte ptr [edi+00h], dl
dec edx
add byte ptr [ebp+00h], dh
pop edx
add byte ptr [edi+00h], dl
jo 00007F19E9105FD2h
imul eax, dword ptr [eax], 5Ah
add byte ptr [ebp+00h], ch
jo 00007F19E9105FD2h
je 00007F19E9105FD2h
bound eax, dword ptr [eax]
push edi
add byte ptr [eax+eax+77h], dh
add byte ptr [ecx+00h], bl
xor al, byte ptr [eax]
xor eax, 63007300h
add byte ptr [edi+00h], al
push esi
add byte ptr [ecx+00h], ch
popad
add byte ptr [edx], dh
add byte ptr [eax+00h], bh
je 00007F19E9105FD2h
bound eax, dword ptr [eax]
insd
add byte ptr [eax+eax+76h], dh
add byte ptr [edx+00h], bl
push edi
add byte ptr [ecx], bh
add byte ptr [eax+00h], dh
popad
add byte ptr [edi+00h], al
cmp dword ptr [eax], eax
insd
add byte ptr [edx+00h], bl
push edi
add byte ptr [esi+00h], cl
cmp byte ptr [eax], al
push esi
add byte ptr [eax+00h], cl
dec edx
add byte ptr [esi+00h], dh
bound eax, dword ptr [eax]
insd
add byte ptr [eax+00h], bh
jo 00007F19E9105FD2h
bound eax, dword ptr [eax]
insd
add byte ptr [ebx+00h], dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29f70	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x19da8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x29f54	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2cfa8	0x2d000	939bd28a073181db002fb83b4eaecc39	False	0.4616644965277778	data	6.16789035104987	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0x19da8	0x1a000	a4f424516bbe0de150f62a2b16406561	False	0.12208909254807693	data	1.5501848344062148	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4a000	0xc	0x400	6a1e0749cab609b2f210f18b32dd4739	False	0.025390625	data	0.05585530805374581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x30250	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.19676360225140713
RT_ICON	0x312f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	0.09013072282030049
RT_ICON	0x41b20	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.13905290505432216
RT_ICON	0x45d48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.17033195020746889
RT_ICON	0x482f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.2045028142589118
RT_ICON	0x49398	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.24645390070921985
RT_GROUP_ICON	0x49800	0x14	data	1.1
RT_GROUP_ICON	0x49814	0x5a	data	0.7666666666666667
RT_VERSION	0x49870	0x34a	data	0.44418052256532065
RT_MANIFEST	0x49bbc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-09:21:53.677511	TCP	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	20131	49730	144.172.122.232	192.168.2.4
07/02/24-09:21:53.492903	TCP	2046045	ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	49730	20131	192.168.2.4	144.172.122.232
07/02/24-09:21:59.015305	TCP	2046056	ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)	20131	49730	144.172.122.232	192.168.2.4
07/02/24-09:22:04.858085	TCP	2043231	ET TROJAN Redline Stealer TCP CnC Activity	49730	20131	192.168.2.4	144.172.122.232

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 09:21:52.735893011 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:52.740925074 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:52.741029024 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:52.749460936 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:52.754189014 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:53.360846043 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:53.416836977 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:53.492902994 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:53.500677109 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:53.677510977 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:53.725300074 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:58.838571072 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:58.843441963 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.015305042 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.015431881 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.015441895 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.015497923 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:59.015582085 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.015638113 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:59.106664896 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.106695890 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.106770992 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:59.241552114 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:59.246340990 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.413841009 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.459655046 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:59.474854946 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:59.479743004 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.479753017 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.479790926 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.479799986 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.479804993 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.479827881 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:59.479875088 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.479885101 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.479931116 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.480032921 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.484369993 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.484612942 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.484621048 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.484623909 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.484707117 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.717304945 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.748826027 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:59.753640890 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.921844006 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:21:59.930016994 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:21:59.934885025 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:00.101430893 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:00.130445004 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:00.135498047 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:00.301479101 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:00.324992895 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:00.330005884 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:00.505866051 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:00.553426981 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:00.954030991 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:00.959085941 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.125286102 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.133210897 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:01.138055086 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.138065100 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.138079882 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.138087988 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.138097048 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.138221025 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.138278961 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.138365030 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.376138926 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.428400993 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:01.456943989 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:01.461800098 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.627312899 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.636807919 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:01.641652107 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.807706118 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.810565948 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:01.815529108 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.980860949 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:01.982146978 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:01.986994028 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:02.152740002 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:02.154824972 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:02.159679890 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:02.325472116 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:02.373964071 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:02.686889887 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:02.691905022 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:02.691917896 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:02.691927910 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:02.932244062 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:02.935122013 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:02.940006971 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.182919025 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.225301981 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.556178093 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.563524961 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.563972950 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.564048052 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.564084053 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.564547062 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.564627886 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.564682961 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.564758062 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.566338062 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.567033052 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.567078114 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.567086935 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.567095041 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.567158937 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.568629026 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.570346117 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.570667982 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.570718050 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.570725918 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.570785046 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.571269035 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.571321011 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.571326017 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.571367025 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.573492050 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.573595047 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.573751926 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.573862076 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.575882912 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.575973988 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.576013088 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.576041937 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.576097012 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.576505899 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.576564074 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.578613043 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.578659058 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.578668118 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.578728914 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.579158068 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.579170942 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.579180002 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.579225063 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.579241991 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.579281092 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.579283953 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.579291105 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.579322100 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.579329967 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.579346895 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.579422951 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.581309080 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.581319094 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.581365108 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.581387997 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.581433058 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.581459045 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.581470966 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.581857920 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.581866026 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.581918001 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.581926107 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.581928968 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584043980 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584090948 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584098101 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584342003 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584350109 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584357023 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584364891 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584368944 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584376097 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584384918 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584392071 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584398985 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584405899 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.584573030 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.585951090 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.585959911 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.585984945 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586013079 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.586025000 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586035013 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586050034 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.586066008 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586075068 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.586114883 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.586116076 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586163998 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586164951 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.586195946 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586218119 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.586256027 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.586560011 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586602926 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586610079 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586610079 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.586617947 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586652994 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.586669922 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586679935 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.586808920 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586817026 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586823940 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586831093 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586838961 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.586863995 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.586935043 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.588831902 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.588840008 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.588900089 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.588907957 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.588964939 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.588973045 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.589025974 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.589034081 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.589633942 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.589641094 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.589703083 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.589718103 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.589792013 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.589799881 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.589833975 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.589899063 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.589910984 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.590023994 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.590032101 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.590039968 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.590046883 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.590054035 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.590063095 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.591443062 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.591478109 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592199087 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592206955 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592262983 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592300892 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592308998 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592329025 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592369080 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592377901 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592449903 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592458010 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592503071 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592509985 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592552900 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592622042 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592643023 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592650890 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592667103 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592683077 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.592766047 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593319893 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593364000 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593372107 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593456984 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593465090 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593472004 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593507051 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593513966 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593522072 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593574047 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593647003 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.593653917 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.594908953 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.594961882 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595053911 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595068932 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595149994 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595158100 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595238924 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595247030 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595252991 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595262051 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595293999 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595300913 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595324993 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595333099 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595395088 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595402002 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595428944 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595436096 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595479012 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595485926 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595521927 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595529079 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.595606089 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.600215912 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.600373983 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.600373983 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.600461960 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.607573986 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607584000 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607633114 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607641935 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607667923 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.607702017 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607703924 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.607712030 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607768059 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.607778072 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607791901 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607822895 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607831001 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607844114 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.607873917 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.607877016 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607887030 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607913971 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607922077 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607929945 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.607964039 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.607974052 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608035088 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608042955 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608095884 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608133078 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608237028 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608244896 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608251095 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608258963 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608310938 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608319044 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608352900 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608361006 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608413935 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608422041 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608453989 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608463049 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608525991 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608534098 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608552933 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608609915 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608653069 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608660936 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608669996 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608741045 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608748913 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608757019 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608901024 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608910084 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608951092 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.608977079 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609019041 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609026909 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609086990 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609093904 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609173059 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609179974 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609250069 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609256983 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609263897 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609307051 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609313965 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609335899 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609344006 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609399080 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609406948 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609457016 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609464884 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609529972 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609536886 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609544992 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609553099 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609565020 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609596968 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609612942 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609682083 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609689951 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609806061 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609812975 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.609817028 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.610987902 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611022949 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611136913 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611145020 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611169100 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611176014 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611222982 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611238003 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611309052 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611315966 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611397028 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611403942 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611459017 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611466885 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611517906 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611526012 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611582041 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611589909 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611638069 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.611645937 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615252018 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615258932 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615309954 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615372896 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615461111 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615530968 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615613937 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615622044 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615663052 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615708113 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615715981 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615722895 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.615730047 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.619317055 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.619460106 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.619460106 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.619559050 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.626941919 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.626998901 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627007008 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627072096 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627079964 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627087116 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627094984 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627098083 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627105951 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627149105 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627157927 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627161026 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627167940 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627216101 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627289057 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627298117 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627304077 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627311945 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627319098 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627326012 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627329111 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627361059 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627368927 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627376080 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627382994 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627389908 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627393007 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627424002 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627430916 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627438068 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627445936 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627485037 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627492905 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627500057 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627506971 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627511024 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627552032 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627559900 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627563000 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627573967 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627580881 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627602100 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627609015 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627646923 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627655029 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627685070 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627693892 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627701044 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627722025 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627729893 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627763033 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627770901 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627863884 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627871990 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627880096 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627942085 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627948999 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.627955914 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628026962 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628035069 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628041983 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628048897 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628053904 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628061056 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628144026 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628151894 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628154993 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628163099 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628170013 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628176928 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628247023 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628254890 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628262043 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628268957 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.628287077 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.628433943 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.630017996 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630147934 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630156040 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630158901 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630167007 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630175114 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630207062 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630215883 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630304098 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630311966 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630319118 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630326986 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630335093 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630342007 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630352974 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630359888 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630362988 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630407095 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630414009 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630420923 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630435944 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630501032 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630512953 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630521059 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630558014 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630565882 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630615950 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630623102 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630630970 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630637884 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630646944 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630661011 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630667925 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.630964041 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.631119013 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.635435104 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635443926 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635453939 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635531902 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635540009 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635549068 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635606050 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635613918 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635621071 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635631084 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635638952 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635698080 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635706902 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635714054 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635726929 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635735035 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635749102 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635785103 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635829926 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635838032 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635921001 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635929108 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635955095 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.635994911 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.636002064 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.636010885 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.636040926 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.636096954 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.636106014 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.636109114 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.636123896 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.636131048 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.636195898 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.636204004 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.636214018 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.637981892 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638040066 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638046980 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638056993 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638140917 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638149023 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638156891 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638216972 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638225079 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638276100 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638284922 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638304949 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638340950 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638421059 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638428926 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638437033 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638443947 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638453007 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638495922 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638676882 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638731003 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638739109 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638818026 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638827085 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638834000 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638848066 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638936043 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.638937950 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638957977 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638964891 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638972044 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.638989925 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.639080048 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.639081001 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.639090061 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.639098883 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.639106035 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.639112949 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.639120102 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.639123917 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640698910 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640727997 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640769958 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640778065 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640819073 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640826941 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640865088 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640872955 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640881062 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640901089 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640953064 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.640960932 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.641024113 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.641031981 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.641038895 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.641043901 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.641047001 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.641074896 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.641138077 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.641146898 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.641154051 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.641163111 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.641176939 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.678406000 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.684457064 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.708189964 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.713092089 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713119984 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713139057 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713146925 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713238001 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713246107 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713253021 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713283062 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713298082 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713304996 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713309050 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713315010 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713330030 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713336945 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.713341951 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:03.725290060 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:03.731589079 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:04.297314882 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:04.333885908 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:04.338924885 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:04.507695913 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:04.512526989 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:04.518793106 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:04.684942961 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:04.685380936 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:04.690207005 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:04.857340097 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:04.858084917 CEST	49730	20131	192.168.2.4	144.172.122.232
Jul 2, 2024 09:22:04.862998962 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:05.032325029 CEST	20131	49730	144.172.122.232	192.168.2.4
Jul 2, 2024 09:22:05.062283039 CEST	49730	20131	192.168.2.4	144.172.122.232

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 09:22:12.746440887 CEST	1.1.1.1	192.168.2.4	0xfd18	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 2, 2024 09:22:12.746440887 CEST	1.1.1.1	192.168.2.4	0xfd18	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:21:50
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\x4UbCbpqkP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\x4UbCbpqkP.exe"
Imagebase:	0x9f0000
File size:	292'864 bytes
MD5 hash:	187049E720E9545FC7C567F85EE870EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1623610747.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1757033587.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	106
Total number of Limit Nodes:	17

Executed Functions

Function 06DDCE68 Relevance: 14.9, Strings: 11, Instructions: 1163COMMON

Download Yara Rule

Strings

4c^q, xrefs: 06DDD7FC
(_^q, xrefs: 06DDD904
c^q, xrefs: 06DDD81C
Nv]q, xrefs: 06DDD170
,bq, xrefs: 06DDDA87
(_^q, xrefs: 06DDD91E
4c^q, xrefs: 06DDD7E2
Hbq, xrefs: 06DDDC22
c^q, xrefs: 06DDD836
$^q, xrefs: 06DDD50D
$^q, xrefs: 06DDD4F3

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$,bq$4c^q$4c^q$Hbq$Nv]q$$^q$$^q$c^q$c^q
API String ID: 0-3459267885
Opcode ID: d5c45af2fd8512511f6224ea25e730e6165b1e570b3fabe62353949aac7913ed
Instruction ID: dfca0fc02456bd60a22886985b084364936fdb9515162d340f255e47398235bf
Opcode Fuzzy Hash: d5c45af2fd8512511f6224ea25e730e6165b1e570b3fabe62353949aac7913ed
Instruction Fuzzy Hash: 3482A670F801285FCB69EB7D845027D6AE3BFCD700B2048A9C446DB394EE35DD868B96

Function 06DD7580 Relevance: 6.6, Strings: 5, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 06DD7961
Hbq, xrefs: 06DD79D9
Hbq, xrefs: 06DD7992
Hbq, xrefs: 06DD7930
Hbq, xrefs: 06DD7A20

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: eabc11e4d63055dd9c609b03f236c80ac47cd1014af854e9da6f8515be99947e
Instruction ID: 48cb4b231f29be970e6a7a29a142ad8a0bacf90f3417a8854fa592d635659363
Opcode Fuzzy Hash: eabc11e4d63055dd9c609b03f236c80ac47cd1014af854e9da6f8515be99947e
Instruction Fuzzy Hash: 5BF19231E10256CFCB55DF75C4502BDFBB2FF85300F248AAAD456AB241EB789A85CB90

Function 06DD3BE0 Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1088
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;), xrefs: 06DD42A2, 06DD42A7
s), xrefs: 06DD431C, 06DD4321

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID: ;)$s)
API String ID: 0-1670427759
Opcode ID: 2e19a39ff16eb806d2e44ebfbb1e2b094ec1faf5f0e202be41c6b8170dd9289d
Instruction ID: eed2273e910ff163d72afb3fc5ed01f320636d6c097eb7d84f4fe4f7a763037f
Opcode Fuzzy Hash: 2e19a39ff16eb806d2e44ebfbb1e2b094ec1faf5f0e202be41c6b8170dd9289d
Instruction Fuzzy Hash: 33C2AD74A112299FCBA4EF28D898B9DBBB1FB49304F1085E9D40DA7350DB35AE85CF50

Function 072484F8 Relevance: 5.5, Strings: 4, Instructions: 496
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 072488E1
$^q, xrefs: 07248C91
$^q, xrefs: 0724881D
$^q, xrefs: 07248D5E

Memory Dump Source

Source File: 00000000.00000002.1764260526.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: bf8907979a26f52bb40e7bc9b93995b1a2d49fceed38cd51887b198630630413
Instruction ID: 55ffd9dfa3bc1a8c710d6105f51f2aa5ed5efc15fc4659b3977a7cee241beb8a
Opcode Fuzzy Hash: bf8907979a26f52bb40e7bc9b93995b1a2d49fceed38cd51887b198630630413
Instruction Fuzzy Hash: BE32B270E11229DFDB68DF64C894BDEB7B2BF89300F1085A9D409AB250DB359E85CF50

Function 06DD5770 Relevance: 2.9, Strings: 2, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 06DD59F0
1, xrefs: 06DD5A75

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID: .$1
API String ID: 0-1839485796
Opcode ID: 8dfc20dfcabc381cae600aaaf9bdb7b931b3181398fc3e4935c23d8c62afac78
Instruction ID: 1a1b094775fd832794d85fe0cae9222bbad1b6f80c3a7ea8eb1e676746d0c73e
Opcode Fuzzy Hash: 8dfc20dfcabc381cae600aaaf9bdb7b931b3181398fc3e4935c23d8c62afac78
Instruction Fuzzy Hash: D8F1DF74E01328CFDB68DF65D884B9DBBB2BF89305F5081A9D509AB290DB719E81CF10

Function 06DD82C8 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c58fe2566d5aae23ac03516168c0c7894808e2fcbe8007727ce8297b33523a
Instruction ID: 387dac222c743a56f9332d19d6ebc055dc2fc9997237eacf9a6fe4cb764de71d
Opcode Fuzzy Hash: 60c58fe2566d5aae23ac03516168c0c7894808e2fcbe8007727ce8297b33523a
Instruction Fuzzy Hash: 9F82CDB4A10216DFDB65EF28D854B6977F1BB48308F1682E8C8099B392EB399C45DF41

Function 0724AF48 Relevance: .6, Instructions: 631COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764260526.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf0c6be6d0403cbbb3421bbc0c4496bc19f8b765a97315fb418da9d003ef35f
Instruction ID: 98891fe4952813929d0ccc184159c7d48494d4757c0e8b0a692c92abfe5f6dfe
Opcode Fuzzy Hash: aaf0c6be6d0403cbbb3421bbc0c4496bc19f8b765a97315fb418da9d003ef35f
Instruction Fuzzy Hash: 8B32CBB0B112059FEB19DFA9D594BAEBBF6AF89300F148469E105DB3A1CB74EC01CB51

Function 06DD0A10 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c854186846de4cc75ac60acb00bad0b0da68fbd5b5380a35e1923f0b3c0bf43b
Instruction ID: e54624d46ba52545b38a496592178b4b9786288680efd31330243ed8ebe8626f
Opcode Fuzzy Hash: c854186846de4cc75ac60acb00bad0b0da68fbd5b5380a35e1923f0b3c0bf43b
Instruction Fuzzy Hash: 7B229E74D00229CFDB64DF68C994BD9B7B2BF89300F5085EAD549A7250EB30AE85CF90

Function 06DD0040 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348877640223826506f882dc9fd69f96592b80ace2486ce263354a1d8a30a764
Instruction ID: 0751e7d285428d9e0372b0fd6e5dc9b55682a0823bc03e18ba71eba8916f360c
Opcode Fuzzy Hash: 348877640223826506f882dc9fd69f96592b80ace2486ce263354a1d8a30a764
Instruction Fuzzy Hash: CB02A074A01229CFDB68DF64C994B9EBBB2BF89300F1085E9D409A7354DB31AE85CF51

Function 06DD35A0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3536a81137e4df8b2118185906fb907fa1f320a9c703ca2832a9cc5169349bcb
Instruction ID: a49da1f48d46d0cac0f9a4319f7bc444bd32f1bf71cbf32a6e3dc4c081347e7e
Opcode Fuzzy Hash: 3536a81137e4df8b2118185906fb907fa1f320a9c703ca2832a9cc5169349bcb
Instruction Fuzzy Hash: 2091F574D01229DFDB64EFA8D944B9DBBB2BF4A304F1081A9D449B7350DB309A85CF51

Function 051BAE30 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1760025659.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_x4UbCbpqkP.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 51a54d0ffa6207cf4e73e467b86e1e06b59abab3fdb90a530c13e71679849219
Instruction ID: 81a96477c37cc11e8a85ce0a85581d2650e1a38c843d842381f701e11e966705
Opcode Fuzzy Hash: 51a54d0ffa6207cf4e73e467b86e1e06b59abab3fdb90a530c13e71679849219
Instruction Fuzzy Hash: 097129B0A00B058FE724DF69D5457AABBF6FF48300F10892DE48AD7A50D7B9E945CB90

Function 051B4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 051B59F1

Memory Dump Source

Source File: 00000000.00000002.1760025659.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_x4UbCbpqkP.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f13afbc35633f5864e5678153ff8f2f2ee64e6f1872bebd2083f6a210e0093fb
Instruction ID: e6fd0d67a552fa00b6868381bd91ae34bdf840206fe82a2964afd63c532a3d60
Opcode Fuzzy Hash: f13afbc35633f5864e5678153ff8f2f2ee64e6f1872bebd2083f6a210e0093fb
Instruction Fuzzy Hash: 6041C1B0D00619CADB24DFA9C884BDDBBF6BF49304F24805AD408BB255EBB56985CF90

Function 051B5935 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 051B59F1

Memory Dump Source

Source File: 00000000.00000002.1760025659.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_x4UbCbpqkP.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d6790f94ed419b99c4783235d8a173cf342d4a422d28ecb6f2631b1619f8ccd4
Instruction ID: 7ffb8c7bc00336b8edf0956a805179be67251704679e50928c620b5a8eb78c0f
Opcode Fuzzy Hash: d6790f94ed419b99c4783235d8a173cf342d4a422d28ecb6f2631b1619f8ccd4
Instruction Fuzzy Hash: C741D2B1D00619CADB24DFA9C888BCDBBF6FF49304F24805AD409BB255DBB56985CF90

Function 051BA858 Relevance: 1.6, APIs: 1, Instructions: 77libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,051BB101,00000800,00000000,00000000), ref: 051BB312

Memory Dump Source

Source File: 00000000.00000002.1760025659.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_x4UbCbpqkP.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6067f38685947a17742d7fa27b34a9a4f59657586545577b1d281a273eec8ab
Instruction ID: e552c1f6e2443f7e67575b7ef5ec3431b9604daf413c28b8c68c2698b439ecdd
Opcode Fuzzy Hash: f6067f38685947a17742d7fa27b34a9a4f59657586545577b1d281a273eec8ab
Instruction Fuzzy Hash: 2631DDB68093988FEB11DFAAC444BDEBFF4EF49310F04809AD495A7212C7B89545CFA5

Function 051BC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,051BD2C6,?,?,?,?,?), ref: 051BD387

Memory Dump Source

Source File: 00000000.00000002.1760025659.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_x4UbCbpqkP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 178c2c80aaa02d6e44f7a4219c545277f7b6d3033b02c84466dd68efefb04680
Instruction ID: 89602d5b37545abc9168771352896a8103e5f31a3f4f91ba29d645f902258746
Opcode Fuzzy Hash: 178c2c80aaa02d6e44f7a4219c545277f7b6d3033b02c84466dd68efefb04680
Instruction Fuzzy Hash: 9A21E4B5900218DFDB10CF9AD984BDEBBF8FB48310F14841AE918A7361D379A950CFA4

Function 051BD2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,051BD2C6,?,?,?,?,?), ref: 051BD387

Memory Dump Source

Source File: 00000000.00000002.1760025659.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_x4UbCbpqkP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 420d373b950a4a245a786c5e130889924acd6ee60a99d0b259534af4f4e2583c
Instruction ID: 3f360d75502a9025b6d6ee22851525a293348aa5108524af94be4a1c70559da6
Opcode Fuzzy Hash: 420d373b950a4a245a786c5e130889924acd6ee60a99d0b259534af4f4e2583c
Instruction Fuzzy Hash: 6F21E2B5900258DFDB10CFAAE585ADEBBF4FB48310F14841AE958A3251D378AA54CFA4

Function 051BA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,051BB101,00000800,00000000,00000000), ref: 051BB312

Memory Dump Source

Source File: 00000000.00000002.1760025659.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_x4UbCbpqkP.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 506eadb4bed63ffa115c3edd811eb20e18573e17ecf760f437fe4942b5407438
Instruction ID: d85922be5b59a377718918bf4d0d59bcd8ad1e59fce33f29cb40e7a61f2ae50f
Opcode Fuzzy Hash: 506eadb4bed63ffa115c3edd811eb20e18573e17ecf760f437fe4942b5407438
Instruction Fuzzy Hash: 4A1114B69043498FDB10CF9AC444ADEFBF4EB48310F10842AD419A7610C3B5A945CFA4

Function 06DDB110 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06DDB076), ref: 06DDB17E

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c0282191e27bcf5b75c7706f74fbbf6e832bb4fc8678d15d39961d6d0c34afcf
Instruction ID: 30c576816fda9a45bf47d17a5a2bf7e0b9be6bff4e3b35dcd5ddfc877553c32c
Opcode Fuzzy Hash: c0282191e27bcf5b75c7706f74fbbf6e832bb4fc8678d15d39961d6d0c34afcf
Instruction Fuzzy Hash: B71123B5D002598FCB10DFAAC948ADEFBF4EF88314F14846AD458A7320C379A546CFA0

Function 06DDAB64 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,06DDB076), ref: 06DDB17E

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6dc3f8c7003858fdd40865b9debd02d88ca5a482d95f368a9011e77ba61879e9
Instruction ID: 4e38a790244b6fed0312036a5a611e6cfc0206a2241702bb393f041a0f072c33
Opcode Fuzzy Hash: 6dc3f8c7003858fdd40865b9debd02d88ca5a482d95f368a9011e77ba61879e9
Instruction Fuzzy Hash: 0C1120B5D007498FCB20DF9AC848A9EFBF4EF88324F11842AD419A7210C379A945CFA4

Function 051BB2A0 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,051BB101,00000800,00000000,00000000), ref: 051BB312

Memory Dump Source

Source File: 00000000.00000002.1760025659.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_x4UbCbpqkP.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7b2dade17e48a83655d131356021d107812a64e5873a8fe6a79336a509cc52b4
Instruction ID: dd74a0156f268fa870166b356dafca06361cf176c9537490e9db762c3eab8031
Opcode Fuzzy Hash: 7b2dade17e48a83655d131356021d107812a64e5873a8fe6a79336a509cc52b4
Instruction Fuzzy Hash: 7711F3B6D043498FDB10CF9AD944BDEFBF4EB48310F14842AD429A7650C3B9A545CFA4

Function 051B9838 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,051BAE4C), ref: 051BB086

Memory Dump Source

Source File: 00000000.00000002.1760025659.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_x4UbCbpqkP.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4999cabc296d7356cd3003397385ed5cf82b2638ecc9b331521bda49611bdb88
Instruction ID: e8db87e6aaed4febb98a5ceb4061d11af8285b9ed2ea52fbc020cb4f1c93f7ce
Opcode Fuzzy Hash: 4999cabc296d7356cd3003397385ed5cf82b2638ecc9b331521bda49611bdb88
Instruction Fuzzy Hash: A2111FB58043088BDB20CF9AC444AEEBBF4EB49210F10842AD469B7610C3B5A949CFA4

Function 07247EC8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0724A105

Memory Dump Source

Source File: 00000000.00000002.1764260526.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_x4UbCbpqkP.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2e7a7c916a879e4351bfcb86c5b2bbbfd25c2e90639cc47b327ca277784963bc
Instruction ID: bbfb4f10a9aa482cf95ad19cda8312e0c6ebc15c8a0a27f04c0975973a877f67
Opcode Fuzzy Hash: 2e7a7c916a879e4351bfcb86c5b2bbbfd25c2e90639cc47b327ca277784963bc
Instruction Fuzzy Hash: 8A1106B5810749DFCB10DF9AC489BDEBBF8EB48314F10841AE558A7200C3B5A944CFA5

Function 0724A0A0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0724A105

Memory Dump Source

Source File: 00000000.00000002.1764260526.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_x4UbCbpqkP.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 638ee4f23113295b6d11aa6a0415003ccde417d622dea4acf10a5355221371dd
Instruction ID: f01d95742ba75cf1507b2ea6f46dbc712a881d77c65d63bacb5da3428f768b6f
Opcode Fuzzy Hash: 638ee4f23113295b6d11aa6a0415003ccde417d622dea4acf10a5355221371dd
Instruction Fuzzy Hash: 3C11F5B5900259DFDB10CF9AD445BDEBBF8FB48324F20841AD558A7200C375AA44CFA5

Function 0122D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756712654.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_122d000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31810462a8b9da4e82d80124bf00332b326e95b6ed78fc3c0989b10beb005d29
Instruction ID: 2f03e67af8ec554a460dc3ec7789c4d20d6f3ea587b14a0b0cae99e54664c56b
Opcode Fuzzy Hash: 31810462a8b9da4e82d80124bf00332b326e95b6ed78fc3c0989b10beb005d29
Instruction Fuzzy Hash: 05216775514208EFDB05DF48C9C0B6ABF65FB88324F20C16DE9094F256C37AE446CBA1

Function 0123D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756766380.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216dfffbf7526093dae9621109388fc620d34c7da23b06b19bd607ff63fbcb69
Instruction ID: 31b3405fee75e47dac7146ee99faa3b008d9c183791c42f20b074ec67e3a4695
Opcode Fuzzy Hash: 216dfffbf7526093dae9621109388fc620d34c7da23b06b19bd607ff63fbcb69
Instruction Fuzzy Hash: 9B2130B0614208DFCB11DF68D980B26FBA5EB84B14F60C569E90A4B256C37AD406CA61

Function 0123D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756766380.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33756d8b4f719ad9cca1da437ab33c0a31313b4922a9b888174b99caff0ac726
Instruction ID: 6d70480b00180710440c10c0f5cc7c3956ab1b8f4552d11b42500aadf76e8351
Opcode Fuzzy Hash: 33756d8b4f719ad9cca1da437ab33c0a31313b4922a9b888174b99caff0ac726
Instruction Fuzzy Hash: 6B2183755083849FCB02CF64D994711BF71EB86714F28C5DAD9498F2A7C33A981ACB62

Function 0122D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756712654.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_122d000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 4094a1d18421e4a25d8c910b71f572316bf15828e52b957d4f602023ea9e7034
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 64110376404284DFDB12CF44D9C4B5ABF71FB94324F24C2A9D9090B257C33AE45ACBA1

Function 0122DA81 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756712654.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_122d000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b897e9307dea59e8badc623c7888dd33816bc9dd4a231e5cac64547c27ead3dc
Instruction ID: f571ee171c11fc6263f8221c70d24e0e83e6343f4167ca48937ff44d98b70865
Opcode Fuzzy Hash: b897e9307dea59e8badc623c7888dd33816bc9dd4a231e5cac64547c27ead3dc
Instruction Fuzzy Hash: 2A01DB3111C358BAE7118F6DCD84F6BBF98EF45324F18C969EE494E186C679D840C671

Function 0122DA80 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756712654.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_122d000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958d62b4823a68c86234de81007969d2048529ad0cdd6500323388b7e6e33782
Instruction ID: c2c44c059bb6d4edf6af1fd17be968e4230679a71274c432058a66a01fc4c16e
Opcode Fuzzy Hash: 958d62b4823a68c86234de81007969d2048529ad0cdd6500323388b7e6e33782
Instruction Fuzzy Hash: 78F06271508394AEE7118A1AC9C4B67FFA8EB41734F18C95AEE484E286C2799C44CA71

Non-executed Functions

Function 07240040 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

LR^q, xrefs: 072400EA
PH^q, xrefs: 07240321

Memory Dump Source

Source File: 00000000.00000002.1764260526.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID: LR^q$PH^q
API String ID: 0-4173805542
Opcode ID: 566e0675a5e7aeeaba227bf08e2a0f5481caea0772d423d0123fd833a85d4c5c
Instruction ID: 80386f5ebb4e02311dc500bae048aebca66f95aeb291f0356a6e6f6ac8b549b2
Opcode Fuzzy Hash: 566e0675a5e7aeeaba227bf08e2a0f5481caea0772d423d0123fd833a85d4c5c
Instruction Fuzzy Hash: 6FA10674E10229CFDB28DFA5C884B9EBBB2BF89300F1085A9D509AB354DB745E85CF41

Function 07240006 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

LR^q, xrefs: 072400EA

Memory Dump Source

Source File: 00000000.00000002.1764260526.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 4687215484f187c21ed9223b3dfc54c51de1ec0e6f6650549f06abf41230845d
Instruction ID: 5fc4a7c5a9ea61901dfe7f5b54e78679e2373b2b2e6f097d46e2a99e8d187e6a
Opcode Fuzzy Hash: 4687215484f187c21ed9223b3dfc54c51de1ec0e6f6650549f06abf41230845d
Instruction Fuzzy Hash: DC413CB1D053599FDB19DFA6C94069DBFF2BF8A300F14C4AAC404AB255DB38198ACF51

Function 06DD1470 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14149e721e2ada76b374827b990edc2ca45e9a4511024226787526885bddc82c
Instruction ID: f3e27c49c663f10bdf8fc2912af0b33cee0abf0b1caec6b6571ee3c1c97816e9
Opcode Fuzzy Hash: 14149e721e2ada76b374827b990edc2ca45e9a4511024226787526885bddc82c
Instruction Fuzzy Hash: D442AD74E012289FDB64DF69C894BEDBBB2BF89300F1085E9D449A7264DB349E85CF50

Function 07246A19 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764260526.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69cbe253c4abcc4d52266d0e0f2c33add354043a624068d2e8965f771b6ca51f
Instruction ID: d1f414e4de8041a3f4f2ffcbe6536c47d629f3fafdba8fd2fdf3ef26477cd08b
Opcode Fuzzy Hash: 69cbe253c4abcc4d52266d0e0f2c33add354043a624068d2e8965f771b6ca51f
Instruction Fuzzy Hash: 59D1F931D20B5A9ACB00FB64D954AADB7B1FF95300F10CB9AD00937625FB706AC9CB91

Function 07246A28 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764260526.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66577e05fd34f73b4870d065b4dbaa524c1b895d7de97a3f5dbf459972bb02d
Instruction ID: b46b1a236c8ac1774cabdc797cd15558f9737c83c5327ce3ee4b1aa11b62fd38
Opcode Fuzzy Hash: f66577e05fd34f73b4870d065b4dbaa524c1b895d7de97a3f5dbf459972bb02d
Instruction Fuzzy Hash: 2DD1EA31D20B5A9ACB10FBA4D954AADB771FF95300F10CB9AD00937664FB706AC9CB91

Function 051BDC74 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760025659.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51b0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a08f23df419679c3eb94d8af1f66b24ff445c21d22b3b8144cfffbafd1d1426
Instruction ID: 62166d80f76a1b28018241f09b18698fd7a6dd4c0b325a403a04bf54003c15a2
Opcode Fuzzy Hash: 0a08f23df419679c3eb94d8af1f66b24ff445c21d22b3b8144cfffbafd1d1426
Instruction Fuzzy Hash: 01A17136F002158FDF09DFB5D8445DEB7B2FF84300B1585AAE806AB265DBB1E946CB80

Function 06DD2778 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e6e6ebbe83074dcd26b7eb854443b9acd1e5409394d9780213d98b935347ac
Instruction ID: 99ab8c81673cf1469492b15fa28ebe6710b12b431f9be667cf52fc44ef7469f4
Opcode Fuzzy Hash: 89e6e6ebbe83074dcd26b7eb854443b9acd1e5409394d9780213d98b935347ac
Instruction Fuzzy Hash: 76B1D474E01229CFDB64DF65D884B9DBBB2BF89300F5085AAD409AB354DB349E85CF50

Function 06DD1E2F Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2743c15e78967298da8205a64580ee2e177e9eb8f4b217ec9c14986a1994245
Instruction ID: 656d3419533987ecca15095ee0da52405a155b59d4de484479fc5a57e2afc6c1
Opcode Fuzzy Hash: c2743c15e78967298da8205a64580ee2e177e9eb8f4b217ec9c14986a1994245
Instruction Fuzzy Hash: 1D91E970E002189FDB58EFB4D894A9EBBB6FF89300F208169D419AB354DB355D46DF50

Function 06DD1E68 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9457fd7f5e2e9665a48632e6bb62dd43280a77de4333f6f7ad5e763174e6b137
Instruction ID: 8b19705a94001c7ac05cbba26400fbde219dd3f9ee202ce58b96122502f7f9c8
Opcode Fuzzy Hash: 9457fd7f5e2e9665a48632e6bb62dd43280a77de4333f6f7ad5e763174e6b137
Instruction Fuzzy Hash: 1C81D970E002189FDB58EFA8D894A9EBBB2FF89300F208569D419AB354DB315D46DF50

Function 072484F5 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764260526.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbab1dea082ab3e66f2f2d22e2245ff4dfb38e87c471f8088c5e228c1464a940
Instruction ID: 01be868f7ba300422c079c725d2e3ceabb0d85058f7f3ed4b5b31a44f31076a4
Opcode Fuzzy Hash: dbab1dea082ab3e66f2f2d22e2245ff4dfb38e87c471f8088c5e228c1464a940
Instruction Fuzzy Hash: 9951E5B0E102189FDB18DF69C880B9EBBB2BF89300F14C1A9D50DAB255DB345E86CF51

Function 06DD1462 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebcaf3913c0644a5e2b0a3addfda77248b3cad9ba85f5e77bc4182fce36baf35
Instruction ID: dc63ff69c34dc2f58658615a957a814098fe080a7e9d0ca26d04474ebd04ebc9
Opcode Fuzzy Hash: ebcaf3913c0644a5e2b0a3addfda77248b3cad9ba85f5e77bc4182fce36baf35
Instruction Fuzzy Hash: 98510871E002599FEB68DF65D840BEEBBB2BF88300F1085EAD409A7254DB305E85DF51

Function 06DD2768 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1763011097.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_x4UbCbpqkP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e792362beb1f03ca688bcaf23cae053e9386b3ed5058657b3e19687700d371
Instruction ID: a69d4f08622897e8677254eb2fd9581cd700e331bcd43ee0e83a16ddea310ddb
Opcode Fuzzy Hash: 09e792362beb1f03ca688bcaf23cae053e9386b3ed5058657b3e19687700d371
Instruction Fuzzy Hash: F331F471E016199BEB68DFA6C8407DEFBB3AF89304F10C169D908AB254DB704A468F90

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report x4UbCbpqkP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x4UbCbpqkP.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
x4UbCbpqkP.exe

Function 06DD7580 Relevance: 6.6, Strings: 5, Instructions: 393
COMMON

Function 06DD3BE0 Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1088
COMMON

Function 072484F8 Relevance: 5.5, Strings: 4, Instructions: 496
COMMON

Function 06DD5770 Relevance: 2.9, Strings: 2, Instructions: 364
COMMON

Function 051BAE30 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Function 051B4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON