Edit tour

Windows Analysis Report
TvfkTdK16A.exe

Overview

General Information

Sample name:	TvfkTdK16A.exe renamed because original name is a hash value
Original sample name:	204b989b2d91e1283fe6c42ac5ded27b.exe
Analysis ID:	1483366
MD5:	204b989b2d91e1283fe6c42ac5ded27b
SHA1:	97070ba4ac2db42069e2e759590abe8f9aae166f
SHA256:	06dc28cd7bc98e05437352f0a38decb3644ade27db6522435395f02823ca5f0f
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

TvfkTdK16A.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\TvfkTdK16A.exe" MD5: 204B989B2D91E1283FE6C42AC5DED27B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["52.143.157.240:1912"], "Bot Id": "Nigas", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
TvfkTdK16A.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1662072426.0000000000CC2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: TvfkTdK16A.exe PID: 7420	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TvfkTdK16A.exe PID: 7420	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.TvfkTdK16A.exe.cc0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.4 - Destination IP: 52.143.157.240

Timestamp:	2024-07-27T04:12:04.479163+0200
SID:	2043231
Source Port:	49730
Destination Port:	1912
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 52.143.157.240 - Destination IP: 192.168.2.4

Timestamp:	2024-07-27T04:11:59.332771+0200
SID:	2043234
Source Port:	1912
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.4 - Destination IP: 52.143.157.240

Timestamp:	2024-07-27T04:12:06.747708+0200
SID:	2043231
Source Port:	49730
Destination Port:	1912
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.4 - Destination IP: 52.143.157.240

Timestamp:	2024-07-27T04:11:59.153271+0200
SID:	2046045
Source Port:	49730
Destination Port:	1912
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) - Source IP: 52.143.157.240 - Destination IP: 192.168.2.4

Timestamp:	2024-07-27T04:12:04.657802+0200
SID:	2046056
Source Port:	1912
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.4 - Destination IP: 52.143.157.240

Timestamp:	2024-07-27T04:12:06.533640+0200
SID:	2043231
Source Port:	49730
Destination Port:	1912
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: TvfkTdK16A.exe

Avira: detected

Found malware configuration

Source: TvfkTdK16A.exe

Malware Configuration Extractor: RedLine {"C2 url": ["52.143.157.240:1912"], "Bot Id": "Nigas", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Multi AV Scanner detection for submitted file

Source: TvfkTdK16A.exe	ReversingLabs: Detection: 91%
Source: TvfkTdK16A.exe	Virustotal: Detection: 76%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: TvfkTdK16A.exe

Joe Sandbox ML: detected

Source: TvfkTdK16A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: TvfkTdK16A.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 52.143.157.240:1912

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 52.143.157.240:1912

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240
Source: unknown	TCP traffic detected without corresponding DNS query: 52.143.157.240

Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: TvfkTdK16A.exe	String found in binary or memory: https://api.ip.sb/ip
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Code function: 0_2_0156DC74	0_2_0156DC74
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Code function: 0_2_055CEE58	0_2_055CEE58
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Code function: 0_2_055C8850	0_2_055C8850
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Code function: 0_2_055C0040	0_2_055C0040
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Code function: 0_2_055C0006	0_2_055C0006
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Code function: 0_2_055C8840	0_2_055C8840

Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs TvfkTdK16A.exe
Source: TvfkTdK16A.exe, 00000000.00000000.1662102776.0000000000D06000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs TvfkTdK16A.exe
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003367000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs TvfkTdK16A.exe
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003367000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs TvfkTdK16A.exe
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003367000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs TvfkTdK16A.exe
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003367000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs TvfkTdK16A.exe
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003367000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs TvfkTdK16A.exe
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003367000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs TvfkTdK16A.exe
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003367000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\080904B0\\OriginalFilename vs TvfkTdK16A.exe
Source: TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003367000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs TvfkTdK16A.exe
Source: TvfkTdK16A.exe, 00000000.00000002.1753744310.00000000011BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TvfkTdK16A.exe
Source: TvfkTdK16A.exe	Binary or memory string: OriginalFilenameSteanings.exe8 vs TvfkTdK16A.exe

Source: TvfkTdK16A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

File created: C:\Users\user\AppData\Local\SystemCache

Jump to behavior

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

Mutant created: NULL

Source: TvfkTdK16A.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TvfkTdK16A.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\TvfkTdK16A.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TvfkTdK16A.exe	ReversingLabs: Detection: 91%
Source: TvfkTdK16A.exe	Virustotal: Detection: 76%

Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32

Jump to behavior

Source: TvfkTdK16A.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TvfkTdK16A.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: TvfkTdK16A.exe

Static PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

Code function: 0_2_055CD442 push eax; ret

0_2_055CD451

Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Memory allocated: 1560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

Window / User API: threadDelayed 2159

Jump to behavior

Source: C:\Users\user\Desktop\TvfkTdK16A.exe TID: 7552	Thread sleep time: -8301034833169293s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe TID: 7440	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: TvfkTdK16A.exe, 00000000.00000002.1754002344.000000000128B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Users\user\Desktop\TvfkTdK16A.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TvfkTdK16A.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: TvfkTdK16A.exe, 00000000.00000002.1753808350.00000000011F3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\TvfkTdK16A.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: TvfkTdK16A.exe, type: SAMPLE
Source: Yara match	File source: 0.0.TvfkTdK16A.exe.cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1662072426.0000000000CC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TvfkTdK16A.exe PID: 7420, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\TvfkTdK16A.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TvfkTdK16A.exe PID: 7420, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: TvfkTdK16A.exe, type: SAMPLE
Source: Yara match	File source: 0.0.TvfkTdK16A.exe.cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1662072426.0000000000CC2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TvfkTdK16A.exe PID: 7420, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TvfkTdK16A.exe	92%	ReversingLabs	Win32.Ransomware.RedLine
TvfkTdK16A.exe	77%	Virustotal		Browse
TvfkTdK16A.exe	100%	Avira	TR/AD.RedLineSteal.mppaj
TvfkTdK16A.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23ResponseD	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Response	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/sc	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1ResponseD	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1ResponseD	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24Response	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
52.143.157.240:1912	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23ResponseD	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id4	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id7	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	TvfkTdK16A.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1ResponseD	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id20	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id10	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id17	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id10Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003613000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtabS	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003659000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id3ResponseD	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23Response	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp, TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	TvfkTdK16A.exe, 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.143.157.240	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483366
Start date and time:	2024-07-27 04:11:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TvfkTdK16A.exe renamed because original name is a hash value
Original Sample Name:	204b989b2d91e1283fe6c42ac5ded27b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 18 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:12:04	API Interceptor	13x Sleep call for process: TvfkTdK16A.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	file.exe	Get hash	malicious	Python Stealer, Amadey, Monster Stealer, RedLine, Stealc, Vidar	Browse	20.42.73.29
	https://forms.office.com/r/Rv9K1pC66n	Get hash	malicious	Unknown	Browse	204.79.197.237
	https://muscletherapytec.com/wp-admin/bvn2/sprom2/popular/41936a0e62f13ad8ca77add4983dc24b	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://muscletherapytec.com/wp-admin/bvn2/sprom2/popular/4e3ca076003281dc76236e73f1cc5142	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://mega.nz/file/BDtUFLTB#5EiSlR7Iv9EQbSU384OWSKh4fgfl1lGDyJermCYi3Gc	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://muscletherapytec.com/wp-admin/bvn2/sprom2/popular/e5ea942a18732b1311810dd2e55b146b/	Get hash	malicious	Unknown	Browse	13.107.246.44
	https://muscletherapytec.com/wp-admin/bvn2/sprom2/popular/17f299cc4b87de0e07a1fdc16d0d9e99/	Get hash	malicious	Unknown	Browse	13.107.246.60
	setup.exe	Get hash	malicious	MicroClip	Browse	204.79.197.239
	setup.exe	Get hash	malicious	MicroClip	Browse	13.107.21.239
	file.exe	Get hash	malicious	Babadeda	Browse	204.79.197.237

Process:	C:\Users\user\Desktop\TvfkTdK16A.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3094
Entropy (8bit):	5.33145931749415
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
MD5:	3FD5C0634443FB2EF2796B9636159CB6
SHA1:	366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
SHA-256:	58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
SHA-512:	8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.0813190261774706
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	TvfkTdK16A.exe
File size:	307'712 bytes
MD5:	204b989b2d91e1283fe6c42ac5ded27b
SHA1:	97070ba4ac2db42069e2e759590abe8f9aae166f
SHA256:	06dc28cd7bc98e05437352f0a38decb3644ade27db6522435395f02823ca5f0f
SHA512:	db80c08b2626ae01bab470a4d8d68d0a9e401498dc7155cd0769f66b99b615f168225405d106e430bc999d0536c58a8e450bca63217213a80ca1a275e4ea8ee8
SSDEEP:	3072:GcZqf7D34cp/0+mAYkygYdQ0ghnB1fA0PuTVAtkxz63R4eqiOL2bBOA:GcZqf7DIknGapB1fA0GTV8kMYL
TLSH:	1B645A5833E8C910DA7F4775D861D67093B0BCA3A552E70B4FC4ACAB3D32740EA51AB6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@................................

File Icon


Icon Hash:	4d8ea38d85a38e6d

Static PE Info

General

Entrypoint:	0x43028e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x30240	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32000	0x1c9c6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2e294	0x2e400	ff778ae75566f0ce18fa235246658a99	False	0.4747730152027027	data	6.1861189976198245	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x32000	0x1c9c6	0x1ca00	a8cf3f8ff27a4a736ba8fb433d91107f	False	0.2380765556768559	data	2.615031395625776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x50000	0xc	0x200	21472a05bd31cf3b960b3bcc0808216b	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x32220	0x3d04	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9934058898847631
RT_ICON	0x35f24	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	0.09013072282030049
RT_ICON	0x4674c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.13905290505432216
RT_ICON	0x4a974	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.17033195020746889
RT_ICON	0x4cf1c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.2045028142589118
RT_ICON	0x4dfc4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.24645390070921985
RT_GROUP_ICON	0x4e42c	0x5a	data	0.7666666666666667
RT_VERSION	0x4e488	0x352	data	0.4447058823529412
RT_MANIFEST	0x4e7dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-27T04:12:04.479163+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49730	1912	192.168.2.4	52.143.157.240
2024-07-27T04:11:59.332771+0200	TCP	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	1912	49730	52.143.157.240	192.168.2.4
2024-07-27T04:12:06.747708+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49730	1912	192.168.2.4	52.143.157.240
2024-07-27T04:11:59.153271+0200	TCP	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	49730	1912	192.168.2.4	52.143.157.240
2024-07-27T04:12:04.657802+0200	TCP	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1912	49730	52.143.157.240	192.168.2.4
2024-07-27T04:12:06.533640+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49730	1912	192.168.2.4	52.143.157.240

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 04:11:58.445050001 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:11:58.450400114 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:11:58.450491905 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:11:58.457835913 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:11:58.462707043 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:11:59.090339899 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:11:59.130609035 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:11:59.153270960 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:11:59.158968925 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:11:59.332771063 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:11:59.380625010 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:04.479162931 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:04.484622002 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:04.657632113 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:04.657695055 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:04.657732010 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:04.657764912 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:04.657769918 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:04.657802105 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:04.657921076 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:04.708806992 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.726512909 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.731661081 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.731683016 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.731697083 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.731709003 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.731720924 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.731745005 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.731758118 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.731796980 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.731885910 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.731899023 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.731909990 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.731954098 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.736768961 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.736794949 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.736807108 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.736829042 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.736840963 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.736841917 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.736865997 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.736880064 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.736890078 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.736905098 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.736963034 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.737061024 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.737072945 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.737083912 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.737139940 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.737190008 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.741816998 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.741843939 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.741899967 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.741955996 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742005110 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742033958 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742063999 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742105007 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742117882 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742176056 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742196083 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742254019 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742258072 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742289066 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742324114 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742336988 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742357016 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742366076 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742415905 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742429018 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742444038 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742474079 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742491961 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742501020 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742522001 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742548943 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742552996 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742575884 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742584944 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742602110 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742614031 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742635012 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742644072 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742662907 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.742671013 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742700100 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.742724895 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.746814013 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.746884108 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.746933937 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.746954918 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.746968031 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.746989012 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.747039080 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.747476101 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747500896 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747530937 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.747533083 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747564077 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.747565031 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747591972 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.747632027 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.747642994 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747657061 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747685909 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747704029 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.747724056 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747737885 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747737885 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.747750998 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747765064 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747778893 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747793913 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747802973 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.747847080 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747859955 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747873068 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747886896 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747909069 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747920036 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747941017 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747953892 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747973919 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.747986078 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748018980 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748030901 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748050928 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748064041 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748115063 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748126984 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748140097 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748151064 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748172045 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748183012 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748194933 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748205900 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748217106 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748239040 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748250008 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748297930 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748310089 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748322010 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748434067 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748445988 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748450041 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.748456955 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748502016 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748514891 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748527050 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748538971 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748552084 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748574972 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748591900 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748593092 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.748605013 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748617887 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748630047 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748651028 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748661995 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748683929 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748694897 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748716116 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.748728037 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.751749039 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752321959 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752332926 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752343893 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752366066 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752377987 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752388954 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752434015 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752445936 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752466917 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752477884 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752557039 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752568960 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752614975 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752626896 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752640963 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752756119 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752793074 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752897978 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.752909899 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753048897 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753061056 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753072977 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753127098 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753138065 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753186941 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753199100 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753251076 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753262997 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753474951 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.753577948 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.753580093 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753593922 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753623962 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753635883 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753678083 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753746986 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753758907 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753822088 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753843069 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753902912 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753916979 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.753998995 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754010916 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754034996 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754045963 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754056931 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754070044 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754132986 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754144907 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754156113 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754167080 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754196882 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754209042 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754220009 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754240990 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754252911 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754264116 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754283905 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754296064 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754314899 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754367113 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754378080 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754470110 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754482031 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754492998 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754503965 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754514933 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754540920 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754564047 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754587889 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754611015 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754653931 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754678011 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754700899 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754724026 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754766941 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754790068 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754812956 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754837036 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754859924 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754883051 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754924059 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.754947901 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758450031 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758464098 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758522987 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758536100 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758548021 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758570910 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758584023 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758625031 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758681059 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.758764029 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758824110 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.758833885 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758847952 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758915901 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758928061 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758965969 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.758989096 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759002924 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759013891 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759074926 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759087086 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759108067 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759124994 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759144068 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759157896 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759202003 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759213924 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759248018 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759259939 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759319067 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759330988 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759373903 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759387016 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759408951 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759421110 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759433031 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759464979 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759475946 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759486914 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759510994 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759814024 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759825945 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759846926 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759857893 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759923935 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759936094 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759962082 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.759974003 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.760030985 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.760042906 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.760062933 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.760075092 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.760097027 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.760108948 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.760121107 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765145063 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765275955 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765362024 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765388012 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765387058 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.765414000 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765444994 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765471935 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765527010 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765528917 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.765594006 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765639067 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765898943 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765927076 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765971899 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.765997887 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766046047 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766072989 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766124010 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766154051 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766179085 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766205072 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766611099 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766637087 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766704082 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766730070 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766756058 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766782045 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766808033 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766834974 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766880989 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766906977 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766936064 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.766998053 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767138958 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767214060 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767241001 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767287016 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767313957 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767359018 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767385960 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767432928 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767458916 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767505884 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767533064 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767601013 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767627954 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767653942 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767679930 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767707109 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767733097 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767759085 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767782927 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767829895 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.767855883 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773036003 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773049116 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773102999 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773114920 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773127079 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773139000 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773159981 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773171902 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773183107 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773195028 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773230076 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773241997 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773253918 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773266077 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773277044 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773288965 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773294926 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.773309946 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773323059 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773346901 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773360014 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773380995 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773395061 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773396015 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.773427010 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773437977 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773485899 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773500919 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773554087 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773565054 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773621082 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773632050 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773701906 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773714066 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773767948 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773780107 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773801088 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773816109 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773876905 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773896933 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773952007 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.773999929 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.774044991 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.774729967 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.774777889 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.774910927 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.775219917 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.775232077 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.775244951 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.775389910 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.775403023 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.775553942 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.775615931 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.775629044 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.775643110 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.779947996 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.779958963 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.779979944 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.779992104 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780011892 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780023098 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780092955 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780105114 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780144930 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780165911 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780180931 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.780232906 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780245066 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780257940 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780303955 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.780373096 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780385971 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780397892 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780410051 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780421972 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780432940 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780563116 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780574083 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780585051 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780628920 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780669928 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780690908 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.780764103 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.822554111 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.822799921 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.822953939 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.822953939 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.823048115 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:05.827943087 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.827956915 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.827977896 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.827990055 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828064919 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828077078 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828088045 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828111887 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828135014 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828147888 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828160048 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828171015 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828217030 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828228951 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828243017 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828294992 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828337908 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828351021 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828413010 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828423977 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828447104 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828459024 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.828510046 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:05.858406067 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:06.533020020 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:06.533639908 CEST	49730	1912	192.168.2.4	52.143.157.240
Jul 27, 2024 04:12:06.538609028 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:06.710937023 CEST	1912	49730	52.143.157.240	192.168.2.4
Jul 27, 2024 04:12:06.747708082 CEST	49730	1912	192.168.2.4	52.143.157.240

Target ID:	0
Start time:	22:11:57
Start date:	26/07/2024
Path:	C:\Users\user\Desktop\TvfkTdK16A.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TvfkTdK16A.exe"
Imagebase:	0xcc0000
File size:	307'712 bytes
MD5 hash:	204B989B2D91E1283FE6C42AC5DED27B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1662072426.0000000000CC2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1755016697.0000000003106000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	7

Executed Functions

Function 055CEE58 Relevance: 2.5, Strings: 1, Instructions: 1235COMMON

Download Yara Rule

Strings

,7bq, xrefs: 055CF497

Memory Dump Source

Source File: 00000000.00000002.1760817329.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID: ,7bq
API String ID: 0-2588767232
Opcode ID: 32ed36d97cf0ed777a58c7eaff01bc065d97d2c1150f285d8d7716781aea966e
Instruction ID: 714be26edbf802f9b726b8c52fd2aaa9299fce490d465181f0f3276ee5ad5b2c
Opcode Fuzzy Hash: 32ed36d97cf0ed777a58c7eaff01bc065d97d2c1150f285d8d7716781aea966e
Instruction Fuzzy Hash: CA929C74B102159FCB55ABB8886467E7AF7BFC8340B2484ADE806DB395DE74DC02CB91

Function 055C8840 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760817329.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a1884356bf7cc2b6310ea162f5b135ade07bbe58cb9e14cd4017ff1fd1b3ee
Instruction ID: 0be860724c76985b2278e470108c0ffa07472395881dfb07b732664544d2035a
Opcode Fuzzy Hash: d8a1884356bf7cc2b6310ea162f5b135ade07bbe58cb9e14cd4017ff1fd1b3ee
Instruction Fuzzy Hash: 57D10634911218CFCB18EFB4D8546ADBBB2FF8A301F1095A9E41AAB354DF316986CF11

Function 055C8850 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760817329.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9e0e612f0e153ef3e929ff0d12e7e4ded6b51b35c6ebe91039d1d94652e2c5
Instruction ID: 599b2784419bf496f014f358bb60d9938229e57feddf4d4a2527e170f0666d77
Opcode Fuzzy Hash: 0e9e0e612f0e153ef3e929ff0d12e7e4ded6b51b35c6ebe91039d1d94652e2c5
Instruction Fuzzy Hash: 0CD1F634911318CFCB18EFB4D8546ADBBB2FF8A301F1095A9E41AAB254DF316986CF11

Function 0156AE30 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0156B086

Memory Dump Source

Source File: 00000000.00000002.1754656472.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1560000_TvfkTdK16A.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 76b4505dd427e8648f24534702b637dfa6bc359f34b0edd7379072fab3479688
Instruction ID: d0329887bb84bae71244465a96b168d3a2ecf074c5576e7dff6586540479a385
Opcode Fuzzy Hash: 76b4505dd427e8648f24534702b637dfa6bc359f34b0edd7379072fab3479688
Instruction Fuzzy Hash: 5D8158B0A00B068FD724DF69D54075ABBF5FF88304F00892ED19AEBA50D775E84ACB91

Function 01565935 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015659F1

Memory Dump Source

Source File: 00000000.00000002.1754656472.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1560000_TvfkTdK16A.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4570f80e5a15bfcfa3fd75133ac31131d56f73e9e20ecf2559c5c07b3570a80d
Instruction ID: 7b51eb3eb43048d796230e4cf00330bbe2790fd149d22847665dc3ac09730d56
Opcode Fuzzy Hash: 4570f80e5a15bfcfa3fd75133ac31131d56f73e9e20ecf2559c5c07b3570a80d
Instruction Fuzzy Hash: 8241E2B0C0071DCEDB24CFA9C884B9DBBF5BF48304F24845AD408AB255DBB56989CF91

Function 055C0BFC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 055C4381

Memory Dump Source

Source File: 00000000.00000002.1760817329.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_TvfkTdK16A.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 088d1c1d90524ac6edb81d6494f115448889082bf2abd9078189140ae9987331
Instruction ID: 4b4cb65474f7dab76b29b63571c35f77eab59344b9135ebf1a3897301f615d80
Opcode Fuzzy Hash: 088d1c1d90524ac6edb81d6494f115448889082bf2abd9078189140ae9987331
Instruction Fuzzy Hash: A14117B4900245CFDB14CF99C448EAEBFF5FB88314F248599E519AB321D734A881CBA0

Function 01564248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015659F1

Memory Dump Source

Source File: 00000000.00000002.1754656472.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1560000_TvfkTdK16A.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2cc937a2a61f9445e025b2b0eb4ff24fc9d7d853999d5f873307dc26b79e7b04
Instruction ID: b949966b2676af4dc615c97c0687d87b6be5856ed644749c16be991eeb4ef4b7
Opcode Fuzzy Hash: 2cc937a2a61f9445e025b2b0eb4ff24fc9d7d853999d5f873307dc26b79e7b04
Instruction Fuzzy Hash: 1E41D2B0C1071DDADB24CFA9C884B9DBBF5FF49304F24805AD408AB255EBB56945CF90

Function 0156C9A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0156D2C6,?,?,?,?,?), ref: 0156D387

Memory Dump Source

Source File: 00000000.00000002.1754656472.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1560000_TvfkTdK16A.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b3b0f6c3931208cd4a188136473ae31329eda1b456182a460cac87a264830a9d
Instruction ID: 25c366548e2e7b8f08b10a9430cb047834546c8d8ce6719f227e943be3ca0a43
Opcode Fuzzy Hash: b3b0f6c3931208cd4a188136473ae31329eda1b456182a460cac87a264830a9d
Instruction Fuzzy Hash: BD21E4B5900248DFDB10CF9AD984ADEBFF8FB48320F14841AE958A7310D374A950CFA4

Function 0156D2F9 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0156D2C6,?,?,?,?,?), ref: 0156D387

Memory Dump Source

Source File: 00000000.00000002.1754656472.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1560000_TvfkTdK16A.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9c5b837024f36dec362685f3658d457bbf95134cac85c5a90d6788d1563247ea
Instruction ID: 42410a22eee4e76a96254e69f5b3b40220e8416df3bce26c958b4fb0662b83e3
Opcode Fuzzy Hash: 9c5b837024f36dec362685f3658d457bbf95134cac85c5a90d6788d1563247ea
Instruction Fuzzy Hash: E221E0B5900258DFDB10CFA9D984AEEBBF8FB48324F14841AE958B7210D374A944CFA4

Function 0156A870 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0156B101,00000800,00000000,00000000), ref: 0156B312

Memory Dump Source

Source File: 00000000.00000002.1754656472.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1560000_TvfkTdK16A.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 22942d8ce99eb46ca808903d63b7f3cf011169e6834c65ca55cc3666d87ba98b
Instruction ID: 97e40c0a0e078464a4672c8b84c893be4f053ea0be72188f4d0a32fe0948a3c6
Opcode Fuzzy Hash: 22942d8ce99eb46ca808903d63b7f3cf011169e6834c65ca55cc3666d87ba98b
Instruction Fuzzy Hash: A711E4B6A003499FDB10CF9AC444ADEFBF8FB48314F14842AD919AB610C775A545CFA5

Function 0156B2A0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0156B101,00000800,00000000,00000000), ref: 0156B312

Memory Dump Source

Source File: 00000000.00000002.1754656472.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1560000_TvfkTdK16A.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2ebf19d51d183887300e969c804db9b65cf27d44dc5b86c22117a5642a28b2c5
Instruction ID: 44687ea119b028b9b9bc81cd2c1027c4667b131179d35b624b45b0415ed4b801
Opcode Fuzzy Hash: 2ebf19d51d183887300e969c804db9b65cf27d44dc5b86c22117a5642a28b2c5
Instruction Fuzzy Hash: 0F1123B6A002488FDB10DF9AC444ADEFFF8FB48320F14842AD969A7310C375A545CFA1

Function 0156B020 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0156B086

Memory Dump Source

Source File: 00000000.00000002.1754656472.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1560000_TvfkTdK16A.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: de8a152aab8a875d7ba544383be3850d871d16c08cef241a7d89b94243e6c4fb
Instruction ID: 7155366592a51818b10fc8f5e4c29b2dcdf5d2b53fd7d105f37eb518b44fe6e6
Opcode Fuzzy Hash: de8a152aab8a875d7ba544383be3850d871d16c08cef241a7d89b94243e6c4fb
Instruction Fuzzy Hash: 6C110FB5D003498FDB20DF9AC444ADEFFF8AB88224F10842AD469B7610C375A545CFA1

Function 0150D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754365102.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ac60ce7ce078914573dd69aeb64595cd7bd5edc5bc1918a5c420f8993a6690
Instruction ID: 779353659703679729aef92d6471734af191288d2db5ca2db999c4f3ad635138
Opcode Fuzzy Hash: e2ac60ce7ce078914573dd69aeb64595cd7bd5edc5bc1918a5c420f8993a6690
Instruction Fuzzy Hash: AC214871100200DFDB02DFC8C9C0B6ABFB5FB84324F20C569E9090F296C376E446C6A2

Function 0151D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754422026.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f581554570de0471ef01195e76dfd5a31c0a297c456b717d97a81dcdaa8ef3
Instruction ID: 1bd78b09d19514bdd2843e8faf18d8df5f2af7d5b26cb8079fe6aa19348a6937
Opcode Fuzzy Hash: 21f581554570de0471ef01195e76dfd5a31c0a297c456b717d97a81dcdaa8ef3
Instruction Fuzzy Hash: 2C210075604200DFEB16DF58D988B2ABBB5FB84314F20C96DD80A4F25AD33AD846CA61

Function 0151D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754422026.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822f00769bec24d554850ac28a69ab65d997d6e6418a2b1116f267c136e86994
Instruction ID: ba957e1f3ee2e0b2619052d3bc78724892f7dfb11fb109b3d0f622edb7b259e4
Opcode Fuzzy Hash: 822f00769bec24d554850ac28a69ab65d997d6e6418a2b1116f267c136e86994
Instruction Fuzzy Hash: 67219F755093808FDB03CF24D994B15BF71FB46214F28C5EAD8498F2A7C33A984ACB62

Function 0150D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754365102.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 3da0e26c2be68106e1f42d4e329715da3c2b89e88262f60e298d1f010beb1cba
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0811DF72404240CFDB02CF84D5C4B5ABF71FB94324F24C2A9D9090F256C33AE45ACBA1

Function 0150DA81 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754365102.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af0c773c1974909551bd13fa33ef72690a5d678d4aa0127c68357571e8df4aa
Instruction ID: 61398026dbeb32a5abdc5104e69e642f3f1207eaa96e49fdfac1be95f94c990d
Opcode Fuzzy Hash: 8af0c773c1974909551bd13fa33ef72690a5d678d4aa0127c68357571e8df4aa
Instruction Fuzzy Hash: B301A73110C3449AE7128AD9C98476BBFE8FF45334F18C969ED094E1C6C2B9D880CA71

Function 0150DA80 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754365102.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537e613106becec2942657c7a718a9c75af1f16535c243ec58b6403ff54f15b2
Instruction ID: ef0070de89598c008e217043483a1ee4c730ede69de80368ae0ebcf452673733
Opcode Fuzzy Hash: 537e613106becec2942657c7a718a9c75af1f16535c243ec58b6403ff54f15b2
Instruction Fuzzy Hash: ABF062715083849EE7118A9AC9C4B67FFE8EF55734F18C45AED094F286C2B99884CA71

Non-executed Functions

Function 055C0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760817329.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab7f69023aab3cbb1acc88f6869fff873296e3683e946e9d74e6ee0beca97da
Instruction ID: c7e8556359e15cb1d58e624dab0056d083da5d321f900971db8e55dea6c2b7b8
Opcode Fuzzy Hash: 9ab7f69023aab3cbb1acc88f6869fff873296e3683e946e9d74e6ee0beca97da
Instruction Fuzzy Hash: E21295B8CC17458BD310CF66E94C18A3BF1BBA2318BD14A19D2652B6E1D7B815EBCF44

Function 0156DC74 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1754656472.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1560000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075201f785e32abe9c8420a6823aa9cfaa6f64769531301398423f7d88f95aaa
Instruction ID: 35844992747970c7c2620ef0504f7272fb53b1d0cf46c5d197f0ee9670305d86
Opcode Fuzzy Hash: 075201f785e32abe9c8420a6823aa9cfaa6f64769531301398423f7d88f95aaa
Instruction Fuzzy Hash: A8A18F36F0020A8FCF05DFB9D85059EBBB6FF84300B15496AE905AF265DB71E956CB80

Function 055C0006 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1760817329.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_TvfkTdK16A.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091cec9c603d4f1fdc06bbf7106957c394d54ef87b605e3c96e5a6e5ccc0faaa
Instruction ID: beccf0c719a385b631f6e09a73a8071b807183d0c46c9502f7211302d3db3526
Opcode Fuzzy Hash: 091cec9c603d4f1fdc06bbf7106957c394d54ef87b605e3c96e5a6e5ccc0faaa
Instruction Fuzzy Hash: 0CD119B8CC07458BD310CF66E84818A7BF1BFA6318BD54A19D1616B2E1DBB815EBCF44

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TvfkTdK16A.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TvfkTdK16A.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
TvfkTdK16A.exe

Function 0156AE30 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Function 01565935 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 055C0BFC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 01564248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0156C9A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0156D2F9 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0156A870 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 0156B2A0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 0156B020 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON