Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
htJVR9pt8V.exe

Overview

General Information

Sample name:htJVR9pt8V.exe
renamed because original name is a hash value
Original sample name:A232B15DD85EC2B60276D31846D30ADB.exe
Analysis ID:1496463
MD5:a232b15dd85ec2b60276d31846d30adb
SHA1:34b8407e5cb4d6acc1e032619474c6099f73bf93
SHA256:a976381b654aecf1a66b206bdaf74243321b4c67fd42079181efedc09665410e
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • htJVR9pt8V.exe (PID: 384 cmdline: "C:\Users\user\Desktop\htJVR9pt8V.exe" MD5: A232B15DD85EC2B60276D31846D30ADB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["103.211.207.57:1912"], "Bot Id": "Azure", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
htJVR9pt8V.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.2026010783.0000000000642000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: htJVR9pt8V.exe PID: 384JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: htJVR9pt8V.exe PID: 384JoeSecurity_RedLineYara detected RedLine StealerJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.htJVR9pt8V.exe.640000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    Timestamp:2024-08-21T10:07:16.345336+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:03.338984+0200
                    SID:2043234
                    Severity:1
                    Source Port:1912
                    Destination Port:49704
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:09.890560+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:17.298391+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:08.406815+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:18.417405+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:18.764580+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:14.282029+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:15.945604+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:19.498807+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:09.178838+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:17.711993+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:16.697652+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:12.052576+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:10.238865+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:02.991225+0200
                    SID:2046045
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:09.183698+0200
                    SID:2046056
                    Severity:1
                    Source Port:1912
                    Destination Port:49704
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:11.625848+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:18.065270+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:09.535391+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:14.729640+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:10.589120+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:15.080354+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:19.112469+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-21T10:07:15.454784+0200
                    SID:2043231
                    Severity:1
                    Source Port:49704
                    Destination Port:1912
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: htJVR9pt8V.exeAvira: detected
                    Found malware configuration
                    Source: htJVR9pt8V.exeMalware Configuration Extractor: RedLine {"C2 url": ["103.211.207.57:1912"], "Bot Id": "Azure", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                    Multi AV Scanner detection for submitted file
                    Source: htJVR9pt8V.exeReversingLabs: Detection: 91%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: htJVR9pt8V.exeJoe Sandbox ML: detected
                    Source: htJVR9pt8V.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: htJVR9pt8V.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.ServiceModel.pdb source: htJVR9pt8V.exe, 00000000.00000002.2210833117.0000000000B81000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: htJVR9pt8V.exe, 00000000.00000002.2210833117.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.5:49704 -> 103.211.207.57:1912
                    Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.5:49704 -> 103.211.207.57:1912
                    Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 103.211.207.57:1912 -> 192.168.2.5:49704
                    Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 103.211.207.57:1912 -> 192.168.2.5:49704
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 103.211.207.57:1912
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 103.211.207.57:1912
                    Source: Joe Sandbox ViewASN Name: AOFEI-HKAOFEIDATAINTERNATIONALCOMPANYLIMITEDHK AOFEI-HKAOFEIDATAINTERNATIONALCOMPANYLIMITEDHK
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.211.207.57
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModel
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModelD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModeld
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/:hardwares.
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002D79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002CFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002D79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002D79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: htJVR9pt8V.exeString found in binary or memory: https://api.ip.sb/ip
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeCode function: 0_2_00E5DC740_2_00E5DC74
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeCode function: 0_2_07C009400_2_07C00940
                    Source: htJVR9pt8V.exe, 00000000.00000002.2210833117.0000000000B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\000004B0\\OriginalFilename vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\080904B0\\OriginalFilename vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exe, 00000000.00000000.2026036434.0000000000686000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exeBinary or memory string: OriginalFilenameSteanings.exe8 vs htJVR9pt8V.exe
                    Source: htJVR9pt8V.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeMutant created: NULL
                    Source: htJVR9pt8V.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: htJVR9pt8V.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: htJVR9pt8V.exeReversingLabs: Detection: 91%
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32Jump to behavior
                    Source: htJVR9pt8V.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: htJVR9pt8V.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: System.ServiceModel.pdb source: htJVR9pt8V.exe, 00000000.00000002.2210833117.0000000000B81000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: htJVR9pt8V.exe, 00000000.00000002.2210833117.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp
                    Source: htJVR9pt8V.exeStatic PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeMemory allocated: CD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeMemory allocated: 4A30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWindow / User API: threadDelayed 1706Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWindow / User API: threadDelayed 8060Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exe TID: 1976Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: htJVR9pt8V.exe, 00000000.00000002.2210833117.0000000000BAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002EE3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Users\user\Desktop\htJVR9pt8V.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: htJVR9pt8V.exe, 00000000.00000002.2225284134.0000000006EF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: htJVR9pt8V.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.htJVR9pt8V.exe.640000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2026010783.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: htJVR9pt8V.exe PID: 384, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\walletsLR]q
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q2C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR]q
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR]qLj
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR]q
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q%appdata%`,]qdC:\Users\user\AppData\Roaming`,]qdC:\Users\user\AppData\Roaming\Binance
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR]qLj
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q&%localappdata%\Coinomi\Coinomi\walletsLR]q
                    Source: htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Users\user\Desktop\htJVR9pt8V.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: Yara matchFile source: 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: htJVR9pt8V.exe PID: 384, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: htJVR9pt8V.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.htJVR9pt8V.exe.640000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2026010783.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: htJVR9pt8V.exe PID: 384, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		231
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                    Virtualization/Sandbox Evasion                    		Security Account Manager241
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets113
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    htJVR9pt8V.exe92%ReversingLabsWin32.Ransomware.RedLine
                    htJVR9pt8V.exe100%AviraTR/AD.RedLineSteal.mppaj
                    htJVR9pt8V.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    103.211.207.57:1912true
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TexthtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/02/sc/scthtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.datacontract.orghtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://tempuri.org/Entity/Id14ResponseDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002D79000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/Entity/Id12ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://schemas.datacontract.org/2004/07/System.ServiceModeldhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://tempuri.org/htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://tempuri.org/Entity/Id2ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id21ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WraphtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id9htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id8htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://tempuri.org/Entity/Id6ResponseDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002D79000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://tempuri.org/Entity/Id5htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/PreparehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://tempuri.org/Entity/Id4htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://tempuri.org/Entity/Id7htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://tempuri.org/Entity/Id6htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecrethtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://tempuri.org/Entity/Id19ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssuehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://tempuri.org/Entity/Id13ResponseDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faulthtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsathtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://tempuri.org/Entity/Id15ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://tempuri.org/Entity/Id5ResponseDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://tempuri.org/Entity/Id6ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://api.ip.sb/iphtJVR9pt8V.exefalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.datacontract.org/2004/07/htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/schtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://tempuri.org/Entity/Id1ResponseDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PChtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://tempuri.org/Entity/Id9ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://tempuri.org/Entity/Id20htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id21htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id22htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id23htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id24htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssuehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://schemas.datacontract.org/2004/07/System.ServiceModelhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002CDF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://tempuri.org/Entity/Id24ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://tempuri.org/Entity/Id1ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegohtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PChtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://tempuri.org/Entity/Id21ResponseDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressinghtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssuehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trusthtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://tempuri.org/Entity/Id10htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id11htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id12htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://tempuri.org/Entity/Id16ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://tempuri.org/Entity/Id13htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://tempuri.org/Entity/Id14htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id15htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id16htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/NoncehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://tempuri.org/Entity/Id17htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id18htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id5ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id19htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnshtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id15ResponseDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id10ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id11ResponseDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id8ResponsehtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCThtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2006/02/addressingidentityhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id17ResponseDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/soap/envelope/htJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002A31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id8ResponseDhtJVR9pt8V.exe, 00000000.00000002.2211983501.0000000002D79000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		unknown

                                                                                                                        World Map of Contacted IPs

                                                                                                                        • No. of IPs < 25%
                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                        • 75% < No. of IPs

                                                                                                                        Public IPs

                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                        103.211.207.57
                                                                                                                        		unknownunknown
                                                                                                                        		135391AOFEI-HKAOFEIDATAINTERNATIONALCOMPANYLIMITEDHKtrue

                                                                                                                        General Information

                                                                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                        Analysis ID:1496463
                                                                                                                        Start date and time:2024-08-21 10:06:11 +02:00
                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                        Overall analysis duration:0h 4m 7s
                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                        Report type:full
                                                                                                                        Cookbook file name:default.jbs
                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                        Number of analysed new started processes analysed:4
                                                                                                                        Number of new started drivers analysed:0
                                                                                                                        Number of existing processes analysed:0
                                                                                                                        Number of existing drivers analysed:0
                                                                                                                        Number of injected processes analysed:0
                                                                                                                        Technologies:
                                                                                                                        • HCA enabled
                                                                                                                        • EGA enabled
                                                                                                                        • AMSI enabled
                                                                                                                        Analysis Mode:default
                                                                                                                        Analysis stop reason:Timeout
                                                                                                                        Sample name:htJVR9pt8V.exe
                                                                                                                        renamed because original name is a hash value
                                                                                                                        Original Sample Name:A232B15DD85EC2B60276D31846D30ADB.exe
                                                                                                                        Detection:MAL
                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                        EGA Information:
                                                                                                                        • Successful, ratio: 100%
                                                                                                                        HCA Information:
                                                                                                                        • Successful, ratio: 98%
                                                                                                                        • Number of executed functions: 19
                                                                                                                        • Number of non-executed functions: 1
                                                                                                                        Cookbook Comments:
                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                        Warnings

                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                        • VT rate limit hit for: htJVR9pt8V.exe

                                                                                                                        Simulations

                                                                                                                        Behavior and APIs

                                                                                                                        TimeTypeDescription
                                                                                                                        04:07:10API Interceptor75x Sleep call for process: htJVR9pt8V.exe modified

                                                                                                                        Joe Sandbox View / Context

                                                                                                                        IPs

                                                                                                                        No context

                                                                                                                        Domains

                                                                                                                        No context

                                                                                                                        ASNs

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        AOFEI-HKAOFEIDATAINTERNATIONALCOMPANYLIMITEDHKnetworkxm.elfGet hashmaliciousUnknownBrowse
                                                                                                                        • 103.65.40.36
                                                                                                                        2jQHythw1E.elfGet hashmaliciousMiraiBrowse
                                                                                                                        • 45.255.132.148
                                                                                                                        cnRFlrBQt2.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                        • 45.255.132.170
                                                                                                                        https://221d.cn/IP:Get hashmaliciousUnknownBrowse
                                                                                                                        • 185.232.59.134
                                                                                                                        https://eapcveme.dynv6.net/IP:Get hashmaliciousUnknownBrowse
                                                                                                                        • 185.232.59.134
                                                                                                                        https://www.gxsyq.cn/IP:Get hashmaliciousUnknownBrowse
                                                                                                                        • 185.232.59.134
                                                                                                                        https://www.lbdkq.cn/IP:Get hashmaliciousUnknownBrowse
                                                                                                                        • 185.232.59.134
                                                                                                                        https://www.yunfuchu.cn/IP:Get hashmaliciousUnknownBrowse
                                                                                                                        • 185.232.59.134
                                                                                                                        https://dzdbmqcs.dynv6.net/IP:Get hashmaliciousUnknownBrowse
                                                                                                                        • 185.232.59.134
                                                                                                                        https://www.uchvh.cn/IP:Get hashmaliciousUnknownBrowse
                                                                                                                        • 185.232.59.134

                                                                                                                        JA3 Fingerprints

                                                                                                                        No context

                                                                                                                        Dropped Files

                                                                                                                        No context

                                                                                                                        Created / dropped Files

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\htJVR9pt8V.exe.log

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\htJVR9pt8V.exe
                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):3293
                                                                                                                        Entropy (8bit):5.3364558769830905
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5sql:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qp
                                                                                                                        MD5:4597EFE428DB18BB65EEC00E0E0EC7B1
                                                                                                                        SHA1:FC763F5655835DFA6E032D20FE81DE058DB88509
                                                                                                                        SHA-256:CC68860A21A25EDB4BDE922B5E4C1AC0D9735D5E189387E8CDC2466EEE8DEDFE
                                                                                                                        SHA-512:EE25B64D8221DAAFABA5908002725D8A9E5D851CC77D752C66A5572773A9F087C210D9C53CBC1A63C0BEFE99616D27D1373170BD6716BEC743ADD7BE5C66E07E
                                                                                                                        Malicious:true
                                                                                                                        Reputation:low
                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Entropy (8bit):5.0813200104719565
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                        File name:htJVR9pt8V.exe
                                                                                                                        File size:307'712 bytes
                                                                                                                        MD5:a232b15dd85ec2b60276d31846d30adb
                                                                                                                        SHA1:34b8407e5cb4d6acc1e032619474c6099f73bf93
                                                                                                                        SHA256:a976381b654aecf1a66b206bdaf74243321b4c67fd42079181efedc09665410e
                                                                                                                        SHA512:66e4e0989cb4a7bdb0be69da808283fc719334de8d7446f4c4452bc73026e47d5458134a518123c71b89f211c5c28c4f0eb4e55cc341dabb7e7903fbdfb4cbfc
                                                                                                                        SSDEEP:3072:GcZqf7D34Tp/0+mAYkygYdQ0ghnB1fA0PuTVAtkxzO3R4eqiOL2bBOA:GcZqf7DItnGapB1fA0GTV8koYL
                                                                                                                        TLSH:56645A5833E8C910DA7F4775D861D67093B0BCA3A552E70B4FC4ACAB3D32740EA50AB6
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@................................

                                                                                                                        File Icon

                                                                                                                        Icon Hash:4d8ea38d85a38e6d

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x43028e
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:4
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:4
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:4
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al
                                                                                                                        add byte ptr [eax], al

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x302400x4b.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9c6.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x20000x2e2940x2e4002e582e6a5ae0860aa647cb4135d6effaFalse0.47478885135135135data6.186120930530809IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                        .rsrc0x320000x1c9c60x1ca00a8cf3f8ff27a4a736ba8fb433d91107fFalse0.2380765556768559data2.615031395625776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0x500000xc0x20021472a05bd31cf3b960b3bcc0808216bFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                        RT_ICON0x322200x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                        RT_ICON0x35f240x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                        RT_ICON0x4674c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                        RT_ICON0x4a9740x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                        RT_ICON0x4cf1c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                        RT_ICON0x4dfc40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                        RT_GROUP_ICON0x4e42c0x5adata0.7666666666666667
                                                                                                                        RT_VERSION0x4e4880x352data0.4447058823529412
                                                                                                                        RT_MANIFEST0x4e7dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        mscoree.dll_CorExeMain

                                                                                                                        Network Behavior

                                                                                                                        Suricata IDS Alerts

                                                                                                                        TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                                                                                        2024-08-21T10:07:16.345336+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:03.338984+0200TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response1191249704103.211.207.57192.168.2.5
                                                                                                                        2024-08-21T10:07:09.890560+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:17.298391+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:08.406815+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:18.417405+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:18.764580+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:14.282029+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:15.945604+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:19.498807+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:09.178838+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:17.711993+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:16.697652+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:12.052576+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:10.238865+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:02.991225+0200TCP2046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:09.183698+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1191249704103.211.207.57192.168.2.5
                                                                                                                        2024-08-21T10:07:11.625848+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:18.065270+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:09.535391+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:14.729640+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:10.589120+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:15.080354+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:19.112469+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57
                                                                                                                        2024-08-21T10:07:15.454784+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497041912192.168.2.5103.211.207.57

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Aug 21, 2024 10:07:01.974399090 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:01.980596066 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:01.980798960 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:01.989953041 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:01.994766951 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:02.953291893 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:02.991225004 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:02.996153116 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:03.338984013 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:03.387161016 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:08.406815052 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:08.411797047 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:08.774821043 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:08.774840117 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:08.774849892 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:08.774861097 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:08.774874926 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:08.774946928 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:08.775002956 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:09.178838015 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:09.183697939 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:09.525999069 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:09.535391092 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:09.540209055 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:09.882385015 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:09.890559912 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:09.895529032 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:10.237657070 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:10.238864899 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:10.244172096 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:10.587096930 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:10.589119911 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:10.594032049 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:10.936719894 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:10.980887890 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:11.625848055 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:11.630798101 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:11.972639084 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.012201071 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.052576065 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.058633089 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.058639050 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.058641911 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.058646917 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.058649063 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.058743954 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.058768034 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.058777094 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.058820963 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.058850050 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.058871031 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.059199095 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.062186003 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.062197924 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.062273979 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.063613892 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.063704014 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.063713074 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.063752890 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.063797951 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.063837051 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.063935041 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.063965082 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.063975096 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.063992023 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.064023972 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.064043045 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.064527988 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.064604044 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.068330050 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.068344116 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.068423986 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.068837881 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.068954945 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.068965912 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.068974018 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069036007 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.069045067 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069081068 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069092035 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.069130898 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069133043 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.069159031 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069169998 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.069195986 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.069246054 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069257975 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069298983 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069310904 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069314957 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.069319010 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069442987 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069459915 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069478989 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069528103 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069536924 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069554090 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069562912 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069649935 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069668055 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069761038 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069770098 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.069777966 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.072618961 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.073297977 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073425055 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.073625088 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073689938 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.073713064 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073721886 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073731899 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073781013 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.073782921 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073792934 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073796034 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.073822021 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073832035 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073837996 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.073873043 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.073918104 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073926926 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073956013 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.073971987 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.073999882 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.074008942 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074062109 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074073076 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074104071 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074114084 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074139118 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074147940 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074165106 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074215889 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074261904 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074271917 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074311018 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074331045 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074419022 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074428082 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074438095 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074449062 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074460983 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074521065 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074531078 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074542046 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074604034 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074613094 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074645996 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074713945 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074723005 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.074733019 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.076966047 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077219009 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.077274084 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.077548027 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077558041 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077615976 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077632904 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077691078 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077699900 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077711105 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077755928 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077775002 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077785015 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077862024 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077872038 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077900887 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077950954 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077975988 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.077986002 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078001022 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078011036 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078072071 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078080893 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078125954 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078135014 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078191042 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078201056 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078217983 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078250885 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078291893 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078310013 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078356028 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078385115 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078434944 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078444958 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078533888 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078562021 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078630924 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078640938 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078732014 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078747034 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078841925 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078850985 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078866959 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078877926 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078934908 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.078953028 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.079027891 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.079051018 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.079117060 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.079125881 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.079159975 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.079195023 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.079268932 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.079287052 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.079340935 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.079349995 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.079545021 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.079602957 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.082461119 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082490921 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082508087 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082562923 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082617998 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082627058 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082672119 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082690001 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082753897 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082762957 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082799911 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082815886 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082892895 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082909107 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.082920074 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083002090 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083013058 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083081007 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083091021 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083117962 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083134890 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083218098 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083401918 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083477020 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083487034 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083508968 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083518982 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083597898 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083606958 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083647013 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083656073 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083733082 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083741903 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083786011 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083794117 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083884001 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083894014 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083903074 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083937883 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.083983898 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084006071 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084055901 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084064960 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084096909 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084180117 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084188938 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084197044 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084220886 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084229946 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084283113 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084290981 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084323883 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084366083 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084403038 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084412098 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084501982 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084511995 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084536076 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084544897 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084584951 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084594965 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084625006 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.084628105 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084640980 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084685087 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.084692001 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084701061 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084732056 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084743977 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084800959 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084815979 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084826946 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084903002 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084912062 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084920883 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084953070 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.084961891 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085038900 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085069895 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085146904 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085155964 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085181952 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085205078 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085257053 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085266113 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085299015 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085308075 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085330963 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085385084 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085421085 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085428953 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085445881 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085464001 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085474968 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085551977 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085561037 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085572004 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085604906 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085619926 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085694075 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085709095 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085726023 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085735083 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085768938 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085777998 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085822105 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085830927 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.085866928 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089585066 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089596987 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089606047 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089741945 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089751005 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089778900 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089787960 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089802027 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089821100 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.089850903 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089863062 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089869976 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.089876890 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089894056 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089903116 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089937925 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.089946985 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090013981 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090025902 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090035915 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090096951 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090106010 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090116978 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090161085 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090168953 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090217113 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090254068 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090302944 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090312958 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090328932 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090378046 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090388060 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090398073 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090468884 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090478897 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090576887 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090586901 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090596914 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090600967 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090615988 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090625048 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090682030 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090691090 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090702057 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090790987 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090801001 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090810061 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090833902 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090842962 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090888977 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.090903044 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.091012955 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.091022968 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.091031075 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.091041088 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.094908953 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.094974041 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095000982 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095009089 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095020056 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095055103 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095114946 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095148087 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095212936 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.095232010 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095247030 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095263004 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.095273018 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095319986 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095427990 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095437050 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095447063 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095455885 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095463991 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095474958 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095484972 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095494032 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095510960 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095519066 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095539093 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095593929 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095602989 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095622063 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095633030 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095766068 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095855951 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095865011 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095922947 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.095947027 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096003056 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096012115 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096060038 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096069098 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096136093 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096144915 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096167088 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096177101 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096255064 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096263885 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096323967 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096333027 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096415043 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096425056 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096458912 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096513987 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096524954 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096549034 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096592903 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096632004 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.096640110 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100301027 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100317955 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100385904 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100404024 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100457907 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100470066 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100539923 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.100545883 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100555897 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100586891 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.100596905 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100610018 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100670099 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100678921 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100732088 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100745916 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100887060 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100908041 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100972891 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.100994110 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.101054907 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.101073980 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.101130962 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.101140022 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.101186991 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.101222038 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.101264000 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.101273060 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.101373911 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.121483088 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.126422882 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.126722097 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.126796961 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.126796961 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.126835108 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:12.131643057 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131670952 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131681919 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131725073 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131768942 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131778955 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131824970 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131834030 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131848097 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131865025 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131890059 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131899118 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131942987 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131952047 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.131962061 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:12.152297020 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:14.142765045 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:14.184026003 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:14.282028913 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:14.383694887 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:14.383797884 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:14.384676933 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:14.727329969 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:14.729640007 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:14.735466003 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:15.076910019 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:15.080353975 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:15.085259914 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:15.427144051 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:15.454783916 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:15.459816933 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:15.802824020 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:15.802901030 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:15.802918911 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:15.802931070 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:15.802948952 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:15.802966118 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:15.802999973 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:15.803044081 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:15.945604086 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:15.950417995 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:16.294431925 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:16.340262890 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:16.345335960 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:16.350095987 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:16.692045927 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:16.697652102 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:16.702670097 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:16.702682018 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:16.702696085 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:16.702754974 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:16.702764034 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:16.702785969 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.292435884 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.298391104 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:17.305430889 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.647373915 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.699666023 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:17.711992979 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:17.716959953 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.716974020 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.716999054 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.717020988 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.717046022 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.717053890 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.717081070 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.717173100 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.717272997 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.717283010 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.717292070 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:17.717302084 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:18.060331106 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:18.065269947 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:18.070199013 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:18.412168026 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:18.417404890 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:18.422216892 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:18.764086008 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:18.764580011 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:18.769434929 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:19.111732006 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:19.112468958 CEST497041912192.168.2.5103.211.207.57
                                                                                                                        Aug 21, 2024 10:07:19.117325068 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:19.459693909 CEST191249704103.211.207.57192.168.2.5
                                                                                                                        Aug 21, 2024 10:07:19.498806953 CEST497041912192.168.2.5103.211.207.57

                                                                                                                        Statistics

                                                                                                                        CPU Usage

                                                                                                                        Click to jump to process

                                                                                                                        Memory Usage

                                                                                                                        Click to jump to process

                                                                                                                        High Level Behavior Distribution

                                                                                                                        Click to dive into process behavior distribution

                                                                                                                        System Behavior

                                                                                                                        General

                                                                                                                        Target ID:0
                                                                                                                        Start time:04:07:00
                                                                                                                        Start date:21/08/2024
                                                                                                                        Path:C:\Users\user\Desktop\htJVR9pt8V.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:"C:\Users\user\Desktop\htJVR9pt8V.exe"
                                                                                                                        Imagebase:0x640000
                                                                                                                        File size:307'712 bytes
                                                                                                                        MD5 hash:A232B15DD85EC2B60276D31846D30ADB
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.2026010783.0000000000642000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2211983501.0000000002AC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2211983501.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        Reputation:low
                                                                                                                        Has exited:true

                                                                                                                        Disassembly

                                                                                                                        Reset < >

                                                                                                                          Execution Graph

                                                                                                                          Execution Coverage:6.3%
                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                          Signature Coverage:0%
                                                                                                                          Total number of Nodes:52
                                                                                                                          Total number of Limit Nodes:9
                                                                                                                          execution_graph 18394 e5d300 DuplicateHandle 18395 e5d396 18394->18395 18396 e54668 18397 e54684 18396->18397 18398 e54696 18397->18398 18400 e547a0 18397->18400 18401 e547c5 18400->18401 18405 e548a1 18401->18405 18409 e548b0 18401->18409 18406 e548d7 18405->18406 18407 e549b4 18406->18407 18413 e54248 18406->18413 18411 e548d7 18409->18411 18410 e549b4 18410->18410 18411->18410 18412 e54248 CreateActCtxA 18411->18412 18412->18410 18414 e55940 CreateActCtxA 18413->18414 18416 e55a03 18414->18416 18416->18416 18417 e5d0b8 18418 e5d0fe GetCurrentProcess 18417->18418 18420 e5d150 GetCurrentThread 18418->18420 18421 e5d149 18418->18421 18422 e5d186 18420->18422 18423 e5d18d GetCurrentProcess 18420->18423 18421->18420 18422->18423 18424 e5d1c3 18423->18424 18425 e5d1eb GetCurrentThreadId 18424->18425 18426 e5d21c 18425->18426 18427 e5ad38 18428 e5ad47 18427->18428 18431 e5ae20 18427->18431 18439 e5ae30 18427->18439 18432 e5ae41 18431->18432 18433 e5ae64 18431->18433 18432->18433 18447 e5b0c8 18432->18447 18451 e5b0b8 18432->18451 18433->18428 18434 e5ae5c 18434->18433 18435 e5b068 GetModuleHandleW 18434->18435 18436 e5b095 18435->18436 18436->18428 18440 e5ae64 18439->18440 18441 e5ae41 18439->18441 18440->18428 18441->18440 18445 e5b0c8 LoadLibraryExW 18441->18445 18446 e5b0b8 LoadLibraryExW 18441->18446 18442 e5ae5c 18442->18440 18443 e5b068 GetModuleHandleW 18442->18443 18444 e5b095 18443->18444 18444->18428 18445->18442 18446->18442 18448 e5b0dc 18447->18448 18450 e5b101 18448->18450 18455 e5a870 18448->18455 18450->18434 18452 e5b0dc 18451->18452 18453 e5a870 LoadLibraryExW 18452->18453 18454 e5b101 18452->18454 18453->18454 18454->18434 18457 e5b2a8 LoadLibraryExW 18455->18457 18458 e5b321 18457->18458 18458->18450

                                                                                                                          Executed Functions

                                                                                                                          Function 07C00940 Relevance: .6, Instructions: 626COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2226880328.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_7c00000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2d69ca574e6b066d0b2edd9aa32819604ec16f9e633767088c043f4cfd1585f5
                                                                                                                          • Instruction ID: 63114a5e54a6a7c5bcb70fe0a5e3d8f226c5f5171669b0bf420c39f797fbd411
                                                                                                                          • Opcode Fuzzy Hash: 2d69ca574e6b066d0b2edd9aa32819604ec16f9e633767088c043f4cfd1585f5
                                                                                                                          • Instruction Fuzzy Hash: 2232CEB0B012048FDB18DB69C594BAEBBF6AF89300F254469E545EB3A1CF34ED45CB91
                                                                                                                          Function 00E5D0A8 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 295 e5d0a8-e5d147 GetCurrentProcess 299 e5d150-e5d184 GetCurrentThread 295->299 300 e5d149-e5d14f 295->300 301 e5d186-e5d18c 299->301 302 e5d18d-e5d1c1 GetCurrentProcess 299->302 300->299 301->302 304 e5d1c3-e5d1c9 302->304 305 e5d1ca-e5d1e5 call e5d289 302->305 304->305 308 e5d1eb-e5d21a GetCurrentThreadId 305->308 309 e5d223-e5d285 308->309 310 e5d21c-e5d222 308->310 310->309
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00E5D136
                                                                                                                          • GetCurrentThread.KERNEL32 ref: 00E5D173
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00E5D1B0
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00E5D209
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211352843.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_e50000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2063062207-0
                                                                                                                          • Opcode ID: 29e55177c6d81818a087dd5cbea4cb035870457a6e1c71d30e8f30af98b415d2
                                                                                                                          • Instruction ID: 9a19598fe9beb2e7ea609e007ed36f8aa6ccbec67a06cce4c84aebd0e9e58317
                                                                                                                          • Opcode Fuzzy Hash: 29e55177c6d81818a087dd5cbea4cb035870457a6e1c71d30e8f30af98b415d2
                                                                                                                          • Instruction Fuzzy Hash: B95155B09043498FDB14DFA9D948BAEBBF1FF88314F20845DE409A72A0D7389984CB65
                                                                                                                          Function 00E5D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 317 e5d0b8-e5d147 GetCurrentProcess 321 e5d150-e5d184 GetCurrentThread 317->321 322 e5d149-e5d14f 317->322 323 e5d186-e5d18c 321->323 324 e5d18d-e5d1c1 GetCurrentProcess 321->324 322->321 323->324 326 e5d1c3-e5d1c9 324->326 327 e5d1ca-e5d1e5 call e5d289 324->327 326->327 330 e5d1eb-e5d21a GetCurrentThreadId 327->330 331 e5d223-e5d285 330->331 332 e5d21c-e5d222 330->332 332->331
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00E5D136
                                                                                                                          • GetCurrentThread.KERNEL32 ref: 00E5D173
                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00E5D1B0
                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00E5D209
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211352843.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_e50000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2063062207-0
                                                                                                                          • Opcode ID: 1ed58968f091b5f96f144f5db2458d80fea565bda4f4730a0532f658e53e3d36
                                                                                                                          • Instruction ID: fcd705e6b1d9acb46d0a004b4bb423bd6e5b68c1cdddeca66510a1991ccce702
                                                                                                                          • Opcode Fuzzy Hash: 1ed58968f091b5f96f144f5db2458d80fea565bda4f4730a0532f658e53e3d36
                                                                                                                          • Instruction Fuzzy Hash: 565167B09007498FDB14DFA9D948BAEBBF1FF88314F208459E409B73A0D7389984CB65
                                                                                                                          Function 00E5AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 372 e5ae30-e5ae3f 373 e5ae41-e5ae4e call e59838 372->373 374 e5ae6b-e5ae6f 372->374 381 e5ae64 373->381 382 e5ae50 373->382 376 e5ae71-e5ae7b 374->376 377 e5ae83-e5aec4 374->377 376->377 383 e5aec6-e5aece 377->383 384 e5aed1-e5aedf 377->384 381->374 429 e5ae56 call e5b0c8 382->429 430 e5ae56 call e5b0b8 382->430 383->384 385 e5aee1-e5aee6 384->385 386 e5af03-e5af05 384->386 388 e5aef1 385->388 389 e5aee8-e5aeef call e5a814 385->389 390 e5af08-e5af0f 386->390 387 e5ae5c-e5ae5e 387->381 391 e5afa0-e5afb7 387->391 393 e5aef3-e5af01 388->393 389->393 394 e5af11-e5af19 390->394 395 e5af1c-e5af23 390->395 405 e5afb9-e5b018 391->405 393->390 394->395 398 e5af25-e5af2d 395->398 399 e5af30-e5af39 call e5a824 395->399 398->399 403 e5af46-e5af4b 399->403 404 e5af3b-e5af43 399->404 406 e5af4d-e5af54 403->406 407 e5af69-e5af76 403->407 404->403 423 e5b01a-e5b060 405->423 406->407 408 e5af56-e5af66 call e5a834 call e5a844 406->408 414 e5af99-e5af9f 407->414 415 e5af78-e5af96 407->415 408->407 415->414 424 e5b062-e5b065 423->424 425 e5b068-e5b093 GetModuleHandleW 423->425 424->425 426 e5b095-e5b09b 425->426 427 e5b09c-e5b0b0 425->427 426->427 429->387 430->387
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00E5B086
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211352843.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_e50000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HandleModule
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4139908857-0
                                                                                                                          • Opcode ID: 4477c244cf7cd55b945e9772a0f233bae72c2c3759805ce27dc5710a710eebc2
                                                                                                                          • Instruction ID: a63f476d783cd891994ff97a24e4bd4211077f8c78285ca3ba9cd999cad45344
                                                                                                                          • Opcode Fuzzy Hash: 4477c244cf7cd55b945e9772a0f233bae72c2c3759805ce27dc5710a710eebc2
                                                                                                                          • Instruction Fuzzy Hash: D1816970A00B458FD724DF29D44179ABBF1FF88305F048A2DE88AE7A50DB75E849CB91
                                                                                                                          Function 00E55935 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 431 e55935-e55a01 CreateActCtxA 433 e55a03-e55a09 431->433 434 e55a0a-e55a64 431->434 433->434 441 e55a66-e55a69 434->441 442 e55a73-e55a77 434->442 441->442 443 e55a79-e55a85 442->443 444 e55a88 442->444 443->444 446 e55a89 444->446 446->446
                                                                                                                          APIs
                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 00E559F1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211352843.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_e50000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Create
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2289755597-0
                                                                                                                          • Opcode ID: f3a8151c0f460d254ac72ee1c0c335d6befea1a65050cbd3ca9b727ce6530538
                                                                                                                          • Instruction ID: bae6379c16921d1fa18d6c428deb7833cdcb657668f3dffa8b04bda9e0a66462
                                                                                                                          • Opcode Fuzzy Hash: f3a8151c0f460d254ac72ee1c0c335d6befea1a65050cbd3ca9b727ce6530538
                                                                                                                          • Instruction Fuzzy Hash: AC41FFB1C00619CEDB24CFA9C884ADDBBB6BF88304F20855AD408BB251DB75694ACF91
                                                                                                                          Function 00E54248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 447 e54248-e55a01 CreateActCtxA 450 e55a03-e55a09 447->450 451 e55a0a-e55a64 447->451 450->451 458 e55a66-e55a69 451->458 459 e55a73-e55a77 451->459 458->459 460 e55a79-e55a85 459->460 461 e55a88 459->461 460->461 463 e55a89 461->463 463->463
                                                                                                                          APIs
                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 00E559F1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211352843.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_e50000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: Create
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2289755597-0
                                                                                                                          • Opcode ID: 3cd571d0e891ed651c3cd988addeb7bbd01609ab52e122e3fb4c452fb39057c7
                                                                                                                          • Instruction ID: 722b6792f0b262cfa5b2cf1fb50acb41b4ac932cc904174e0787766029035420
                                                                                                                          • Opcode Fuzzy Hash: 3cd571d0e891ed651c3cd988addeb7bbd01609ab52e122e3fb4c452fb39057c7
                                                                                                                          • Instruction Fuzzy Hash: 5941E0B1C00719CADB24CFA9C884B9DBBF5FF88304F20856AD408BB255DB75694ACF91
                                                                                                                          Function 00E5D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 464 e5d2f9-e5d394 DuplicateHandle 465 e5d396-e5d39c 464->465 466 e5d39d-e5d3ba 464->466 465->466
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E5D387
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211352843.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_e50000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: 1b23208a74316c91a639b8d98b21ee29e20f8b42653ef277d6dfd4518e3bdbe8
                                                                                                                          • Instruction ID: 8a05a52b984293867b0480810f56f61f3075dff02daaeb1394cb8947a671dce7
                                                                                                                          • Opcode Fuzzy Hash: 1b23208a74316c91a639b8d98b21ee29e20f8b42653ef277d6dfd4518e3bdbe8
                                                                                                                          • Instruction Fuzzy Hash: A021E0B59002489FDB10CFAAD985AEEBFF5FB48310F14841AE918B3350C378A955CFA1
                                                                                                                          Function 00E5D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 469 e5d300-e5d394 DuplicateHandle 470 e5d396-e5d39c 469->470 471 e5d39d-e5d3ba 469->471 470->471
                                                                                                                          APIs
                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E5D387
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211352843.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_e50000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: DuplicateHandle
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3793708945-0
                                                                                                                          • Opcode ID: 242cd7860e1897f66402e9963d1971fed26980bf10a3625fc256810f92079246
                                                                                                                          • Instruction ID: 095ca7279e20ce45bcea289d05fa0ab37fb05448a239934fd2d28be2977282f3
                                                                                                                          • Opcode Fuzzy Hash: 242cd7860e1897f66402e9963d1971fed26980bf10a3625fc256810f92079246
                                                                                                                          • Instruction Fuzzy Hash: 3221C4B59002489FDB10CFAAD985ADEBFF9FB48310F14841AE918A3350D378A954CFA5
                                                                                                                          Function 00E5A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 474 e5a870-e5b2e8 476 e5b2f0-e5b31f LoadLibraryExW 474->476 477 e5b2ea-e5b2ed 474->477 478 e5b321-e5b327 476->478 479 e5b328-e5b345 476->479 477->476 478->479
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E5B101,00000800,00000000,00000000), ref: 00E5B312
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211352843.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_e50000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: 7401671393ce5297c5a9f33b104687235dfc3ae80668a65499dc26e28af43d8d
                                                                                                                          • Instruction ID: f2f78379e77c8be2aea87e40f2099c0566029257cf740a2acf105e584792d786
                                                                                                                          • Opcode Fuzzy Hash: 7401671393ce5297c5a9f33b104687235dfc3ae80668a65499dc26e28af43d8d
                                                                                                                          • Instruction Fuzzy Hash: 2B11E4B69003499FDB10DF9AC444AEEFBF4EB48311F14842ED919B7250C3B9A945CFA5
                                                                                                                          Function 00E5B2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 482 e5b2a0-e5b2e8 483 e5b2f0-e5b31f LoadLibraryExW 482->483 484 e5b2ea-e5b2ed 482->484 485 e5b321-e5b327 483->485 486 e5b328-e5b345 483->486 484->483 485->486
                                                                                                                          APIs
                                                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E5B101,00000800,00000000,00000000), ref: 00E5B312
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211352843.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_e50000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: LibraryLoad
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1029625771-0
                                                                                                                          • Opcode ID: a195280f650833a8f746dc20134ec5ce6a90e0e7862c1cfa74e306b8dca049e0
                                                                                                                          • Instruction ID: 30b95a9ece5204f64b665b0e9964c38e61f48835bd6d0a3b36d82750cd1987ec
                                                                                                                          • Opcode Fuzzy Hash: a195280f650833a8f746dc20134ec5ce6a90e0e7862c1cfa74e306b8dca049e0
                                                                                                                          • Instruction Fuzzy Hash: FF1112B68002488FDB10CFAAC444ADEFBF4EF88310F14842ED819B7210C379A585CFA1
                                                                                                                          Function 00E5B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                          Download Yara Rule

                                                                                                                          Control-flow Graph

                                                                                                                          • Executed
                                                                                                                          • Not Executed
                                                                                                                          control_flow_graph 489 e5b020-e5b060 490 e5b062-e5b065 489->490 491 e5b068-e5b093 GetModuleHandleW 489->491 490->491 492 e5b095-e5b09b 491->492 493 e5b09c-e5b0b0 491->493 492->493
                                                                                                                          APIs
                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00E5B086
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211352843.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_e50000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID: HandleModule
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4139908857-0
                                                                                                                          • Opcode ID: 9609f2f5e736e3096c5a58db5c9709d29719307673760c26a7e3e96703e5edd8
                                                                                                                          • Instruction ID: 1247b21676b81f4f84fc5097f2ae6b3c4e4c766a056ccbf46f1bd6449476ea94
                                                                                                                          • Opcode Fuzzy Hash: 9609f2f5e736e3096c5a58db5c9709d29719307673760c26a7e3e96703e5edd8
                                                                                                                          • Instruction Fuzzy Hash: 0D11DFB5C00349CFCB20DF9AC444A9EFBF8AB89324F14841AD829B7250C379A549CFA5
                                                                                                                          Function 00C7D654 Relevance: .1, Instructions: 77COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211061198.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c7d000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: d3fb22f93b2e26ea179c538426901f87bf6dea1679ae4cf0b4ff2f6c657a59ea
                                                                                                                          • Instruction ID: 9ffebfcc1586513241bad86cc7e38ffdba1f3760503b90123d9fa13bb477c709
                                                                                                                          • Opcode Fuzzy Hash: d3fb22f93b2e26ea179c538426901f87bf6dea1679ae4cf0b4ff2f6c657a59ea
                                                                                                                          • Instruction Fuzzy Hash: 8921F476500240DFCB099F14D9C0F26BFB6FF88314F24C669E94E0A25AC33AD816DBA1
                                                                                                                          Function 00C7D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211061198.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c7d000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 0f02581fa6bc5a8a0ad6538902586c2e91e97d0710e3d927d3e97c33d15affe6
                                                                                                                          • Instruction ID: 0734941997072b9050207c6f5cc780dd7057b948656afebf03b0f9efd5ad7291
                                                                                                                          • Opcode Fuzzy Hash: 0f02581fa6bc5a8a0ad6538902586c2e91e97d0710e3d927d3e97c33d15affe6
                                                                                                                          • Instruction Fuzzy Hash: AA21F172500204DFDB05DF14D9C0B26BF75FF98324F20C569E90E0B256C33AE856DAA2
                                                                                                                          Function 00C8D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211089066.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c8d000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 557504577222984a9d63ea671bf41fff8bd89e2c756012595397d8ece01cb9d3
                                                                                                                          • Instruction ID: c729935e02dd4a4be82bc1ffa53aad05d1025bc5a39256d862f1d990ee165cd2
                                                                                                                          • Opcode Fuzzy Hash: 557504577222984a9d63ea671bf41fff8bd89e2c756012595397d8ece01cb9d3
                                                                                                                          • Instruction Fuzzy Hash: 9B21D071604204EFDB14EF24D984B26BB65EB88318F20C569E94A4B296C33AD806CB66
                                                                                                                          Function 00C8D005 Relevance: .1, Instructions: 62COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211089066.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c8d000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 6a9e9bf5c33c51b53d780c0c804e8df7a445edb5127c15da38050994ddda92d6
                                                                                                                          • Instruction ID: ff46419373ab934b81dcb56f2c6a09dc4efeef842d6b7a83126bed616a2ce934
                                                                                                                          • Opcode Fuzzy Hash: 6a9e9bf5c33c51b53d780c0c804e8df7a445edb5127c15da38050994ddda92d6
                                                                                                                          • Instruction Fuzzy Hash: FC2192755093C08FDB02DF24D994715BF71EB46314F28C5EAD8898F2A7C33A980ACB62
                                                                                                                          Function 00C7D64F Relevance: .1, Instructions: 58COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211061198.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c7d000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                                                                                                                          • Instruction ID: 130145dbde5f551eaccce16d4138f404877888c864bf99842a09dd0b228175de
                                                                                                                          • Opcode Fuzzy Hash: b4df52cb15700b59c5b6b401fa95ea1d4e97f6e18881beb99e30f99f1fcf6035
                                                                                                                          • Instruction Fuzzy Hash: A421A276504280DFCB16CF10D9C4B16BF72FF88314F24C6A9D9490B25AC33AD556DB91
                                                                                                                          Function 00C7D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211061198.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c7d000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                                          • Instruction ID: 54988af7a68da7c1aaae7367294223799741e940d50193b00486c993e79e62a9
                                                                                                                          • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                                          • Instruction Fuzzy Hash: 9C112672404240DFCB02CF10D5C4B16BF71FF94324F24C6A9D90A0B256C33AE95ACBA2
                                                                                                                          Function 00C7D9F5 Relevance: .0, Instructions: 45COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211061198.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c7d000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: c12293a1242f69f2513cb226c77c423db749d9841478f3443a6e4ad6c179029a
                                                                                                                          • Instruction ID: e2494663589e91de610d316d51647398aec993d03665bd3b383feb9eb8f1e904
                                                                                                                          • Opcode Fuzzy Hash: c12293a1242f69f2513cb226c77c423db749d9841478f3443a6e4ad6c179029a
                                                                                                                          • Instruction Fuzzy Hash: 9901A731108344DAD7108B1AC984B67BFFCFF95330F18C46AED1E1A286C2799D41D671
                                                                                                                          Function 00C7D9F4 Relevance: .0, Instructions: 36COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211061198.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_c7d000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 8f9a704f1aca972c2d3a575d36d4a4b6f50457079d351770cec29ec8f4cf6356
                                                                                                                          • Instruction ID: b2acbd241c4e5c1a7838da7935e72639e53a927f335859127f5b48156aa0ab58
                                                                                                                          • Opcode Fuzzy Hash: 8f9a704f1aca972c2d3a575d36d4a4b6f50457079d351770cec29ec8f4cf6356
                                                                                                                          • Instruction Fuzzy Hash: 4FF0C2714083449EE7108E16C884B62FFA8EF55734F18C45AED1D0B286C2799940CAB0

                                                                                                                          Non-executed Functions

                                                                                                                          Function 00E5DC74 Relevance: .3, Instructions: 264COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.2211352843.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                          • Snapshot File: hcaresult_0_2_e50000_htJVR9pt8V.jbxd
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1d69e6dc8627362dd04065b23833eed32700feaaa2c0478563f314c27ccb3c07
                                                                                                                          • Instruction ID: 4416b7c59eda84181e97dd8fc372b26e826fd115c0fcf2d35486eaa888c6ae53
                                                                                                                          • Opcode Fuzzy Hash: 1d69e6dc8627362dd04065b23833eed32700feaaa2c0478563f314c27ccb3c07
                                                                                                                          • Instruction Fuzzy Hash: 9DA17A36A002098FCF15DFB5C88059EB7B2FF84305B15997AED05BB265DB71E949CB80