Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
Analysis ID:1537051
MD5:f0ecb0b7a365f88b26f3cb7d5101881a
SHA1:09e0740dad05507a1d652995f6eebb3eadddf7b7
SHA256:4d97c5998d3d572ebdfbcad5ff324bf33a355fa49f0fbfb2ee8f50af7ccaec49
Tags:exe
Infos:

Detection

Go Injector, RedLine
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Go Injector
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Installs new ROOT certificates
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.215.113.9:12617"], "Bot Id": "Hanaa", "Authorization Header": "0e2b43b28f6c980406364d73b3b371a7"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeJoeSecurity_GoInjector_2Yara detected Go InjectorJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.3007789626.000000C0005AC000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000003.2631370302.000000C0008A6000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.3310532037.000000C000588000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000003.3005308576.000000C0006B8000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
          • 0x0:$x1: 4d5a9000030000000
          00000000.00000002.3310893840.000000C000858000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c00049e000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c00058c000.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.3.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c000a16000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c000858000.4.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.3.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c0008a6000.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 5 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0.3.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c0008a6000.1.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["185.215.113.9:12617"], "Bot Id": "Hanaa", "Authorization Header": "0e2b43b28f6c980406364d73b3b371a7"}
                      Multi AV Scanner detection for submitted file
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeReversingLabs: Detection: 55%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\Eula.pdb888 source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\Eula.pdb source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: BitLockerToGo.pdb source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.2631370302.000000C000858000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: SystemSettings.pdb source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3004317044.000000C0007E0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: BitLockerToGo.pdbGCTL source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.2631370302.000000C000858000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: SystemSettings.pdbGCTL source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3004317044.000000C0007E0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmp

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 185.215.113.9:12617
                      Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
                      Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /EDDYCJY/fake-useragent/v0.2.0/static/fake_useragent_0.2.0.json HTTP/1.1Host: raw.githubusercontent.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                      Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://go.mail.ru/help/robots)
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://notifyninja.com/monitoring
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C000580000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C00043C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3007893098.000000C000580000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/go/applebot)
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C0001FF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.brandwatch.net)
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C000168000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/adsbot.html)
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C000168000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/adsbot.html)C:
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C000168000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/adsbot.html)Mozilla/5.0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdcannot
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.icjobs.de)
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C0001FF000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.jobboerse.com/bot.htm)
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C000168000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.similartech.com/smtbot)
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C000168000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.similartech.com/smtbot)Mozilla/5.0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C0001FF000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.xn--jobbrse-d1a.com)
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000558000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://yandex.com/bots)
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.2631370302.000000C0008A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C000588000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3007789626.000000C0005AC000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C00049D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3005997659.000000C000640000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.2629519795.000000C000931000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: https://github.com/golang/protobuf/issues/1609):
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: https://golang.org/doc/faq#nil_errorcollected
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: https://locationInfinityencodingprotobuftype_urlhttp/1.1mac-os-xcomputerNO_PROXYdisabledrequiredopti
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: https://management.azure.com%q
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: https://onsi.github.io/gomega/#adjusting-output
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: https://onsi.github.io/gomega/#eventually
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.jobboerse.com/bot.htm)
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 00000000.00000003.3005308576.000000C0006B8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                      Source: 00000000.00000003.3005069060.000000C000750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                      Source: 00000000.00000003.3075843578.000000C003266000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                      Source: 00000000.00000003.3074488765.000000C0032A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                      Source: 00000000.00000003.2631370302.000000C000900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                      Source: 00000000.00000002.3312288498.000000C001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeStatic PE information: Number of sections : 12 > 10
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClampers.exe8 vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEula.exe* vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.2629519795.000000C000A59000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClampers.exe8 vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.2631370302.000000C000858000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBITLOCKERTOGO.EXEj% vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3006634269.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClampers.exe8 vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3005416512.000000C000673000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClampers.exe8 vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3005852551.000000C000663000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClampers.exe8 vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.2629519795.000000C0008F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClampers.exe8 vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000000.2053965778.00007FF722AD4000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCapCut.exeD" vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClampers.exe8 vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename32BitMAPIBroker.exeD vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3004317044.000000C0007E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystemSettings.exej% vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeBinary or memory string: OriginalFilenameCapCut.exeD" vs SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                      Source: 00000000.00000003.3005308576.000000C0006B8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                      Source: 00000000.00000003.3005069060.000000C000750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                      Source: 00000000.00000003.3075843578.000000C003266000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                      Source: 00000000.00000003.3074488765.000000C0032A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                      Source: 00000000.00000003.2631370302.000000C000900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                      Source: 00000000.00000002.3312288498.000000C001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
                      Source: classification engineClassification label: mal92.troj.winEXE@1/1@1/1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeFile created: C:\Users\user\AppData\Local\Temp\fake_useragent_0.2.0.jsonJump to behavior
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000000.2051979895.00007FF722022000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SelectExprDprotobuf:"bytes,5,opt,name=select_expr,json=selectExpr,proto3,oneof"O*func([]resolver.Address, balancer.NewSubConnOptions) (balancer.SubConn, error)O*struct { F uintptr; X0 *transport.http2Client; X1 *transport.Stream; X2 bool }O*struct { F uintptr; X0 *transport.http2Server; X1 *transport.Stream; X2 bool }P*struct { *promhttp.responseWriterDelegator; http.Hijacker; http.CloseNotifier }P*struct { *promhttp.responseWriterDelegator; io.ReaderFrom; http.CloseNotifier }P*func(context.Context, string, *net.TCPAddr, *net.TCPAddr) (*net.TCPConn, error)P*struct { F uintptr; X0 chan struct {}; X1 http.RoundTripper; X2 *http.Request }P*map.bucket[uint16]struct { curve ecdh.Curve; hash crypto.Hash; nSecret uint16 }P*func(context.Context, string, net.Conn) (net.Conn, credentials.AuthInfo, error)
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeReversingLabs: Detection: 55%
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: depgithub.com/docker/docker-credential-helpersv0.8.2h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine .localhostwsarecvmsgwsasendmsgIP addressunixpacket netGo = RIPEMD-160ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtraSHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1POSTALCODEexecerrdotSYSTEMROOTConnectionKeep-Alivelocal-addrRST_STREAMEND_STREAMSet-Cookie stream=%dset-cookieuser-agentkeep-alive:authorityconnectionequivalentHost: %s
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: stopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module data in goroutine runtime: seq1=runtime: goid=RegSetValueExWinternal error.in-addr.arpa.unknown mode: unreachable: /log/filter.go/log/helper.godata truncated
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: Estimated total available CPU time not spent executing any Go or Go runtime code. In other words, the part of /cpu/classes/total:cpu-seconds that was unused. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.ASTEmptyASTComparatorASTCurrentNodeASTExpRefASTFunctionExpressionASTFieldASTFilterProjectionASTFlattenASTIdentityASTIndexASTIndexExpressionASTKeyValPairASTLiteralASTMultiSelectHashASTMultiSelectListASTOrExpressionASTAndExpressionASTNotExpressionASTPipeASTProjectionASTSubexpressionASTSliceASTValueProjectionDistribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDeadGC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU ti
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: Estimated total available CPU time not spent executing any Go or Go runtime code. In other words, the part of /cpu/classes/total:cpu-seconds that was unused. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.ASTEmptyASTComparatorASTCurrentNodeASTExpRefASTFunctionExpressionASTFieldASTFilterProjectionASTFlattenASTIdentityASTIndexASTIndexExpressionASTKeyValPairASTLiteralASTMultiSelectHashASTMultiSelectListASTOrExpressionASTAndExpressionASTNotExpressionASTPipeASTProjectionASTSubexpressionASTSliceASTValueProjectionDistribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDeadGC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU ti
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: net/addrselect.go
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: github.com/go-openapi/swag@v0.23.0/loading.go
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: google.golang.org/grpc@v1.63.2/internal/balancerload/load.go
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeString found in binary or memory: dOaNajEYPL/load.go
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeSection loaded: winhttp.dllJump to behavior
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeStatic file information: File size 20831232 > 1048576
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x812000
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x12ee00
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xa25e00
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\Eula.pdb888 source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\Eula.pdb source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C0004E1000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: BitLockerToGo.pdb source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.2631370302.000000C000858000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: SystemSettings.pdb source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3004317044.000000C0007E0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: BitLockerToGo.pdbGCTL source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.2631370302.000000C000858000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: SystemSettings.pdbGCTL source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3004317044.000000C0007E0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C0005CF000.00000004.00001000.00020000.00000000.sdmp
                      Source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeStatic PE information: section name: .xdata

                      Persistence and Installation Behavior

                      barindex
                      Installs new ROOT certificates
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\DVD VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\DVD\EFI VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\DVD\EFI\en-US VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\DVD\PCAT VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\bg-BG VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\da-DK VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\de-DE VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\el-GR VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\en-GB VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\en-US VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\es-MX VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\fi-FI VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\fr-CA VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\fr-FR VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\hr-HR VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\nb-NO VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\nl-NL VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\pl-PL VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\pt-PT VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\ru-RU VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\sl-SI VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\sr-Latn-RS VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\sv-SE VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\EFI\zh-CN VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\Misc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\de-DE VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\en-GB VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\hr-HR VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\memtest.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\memtest.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\nb-NO VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\nl-NL VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\pl-PL VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\pt-BR VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\qps-ploc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\ru-RU VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\sr-Latn-RS VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\PCAT\tr-TR VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Boot\Resources VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Branding\Basebrd\en-GB VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\CSC\v2.0.6\temp VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\DiagTrack\Scenarios VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Fonts VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\GameBarPresenceWriter VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\HelpPane.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\HelpPane.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\IME VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\IME\IMEJP VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\IME\IMEJP\Assets VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\IME\IMEJP\DICTS VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\IME\IMEKR VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\IME\IMETC\HELP VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\INF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\INF\.NET CLR Networking\0000 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\INF\.NET Memory Cache 4.0 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\INF\LSM VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\INF\MSDTC\0000 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\INF\ServiceModelOperation 3.0.0.0\0000 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\INF\ServiceModelOperation 3.0.0.0\0409 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\ImmersiveControlPanel\en-GB VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\ImmersiveControlPanel\pris VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\InputMethod\SHARED VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\AdobeCollabSync.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\AdobeCollabSync.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRLogTransport.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRWindowsClientService.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Eula.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Eula.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_Acrobat.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_Acrobat.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_AcrobatInfo.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_AcrobatInfo.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\SingleClientServicesUpdater.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\SingleClientServicesUpdater.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\_32bitmapibroker.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\_32bitmapibroker.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\_4bitmapibroker.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\_4bitmapibroker.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Go Injector
                      Source: Yara matchFile source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, type: SAMPLE
                      Source: Yara matchFile source: 00000000.00000000.2051979895.00007FF722506000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe PID: 5000, type: MEMORYSTR
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c00049e000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c00058c000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c000a16000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c000858000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c0008a6000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c000620000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c0008a6000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c00058c000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c000858000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c00049e000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.3007789626.000000C0005AC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2631370302.000000C0008A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3310532037.000000C000588000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3310893840.000000C000858000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3310009226.000000C00049D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3005997659.000000C000640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2629519795.000000C000931000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe PID: 5000, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Go Injector
                      Source: Yara matchFile source: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, type: SAMPLE
                      Source: Yara matchFile source: 00000000.00000000.2051979895.00007FF722506000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe PID: 5000, type: MEMORYSTR
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c00049e000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c00058c000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c000a16000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c000858000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c0008a6000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c000620000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c0008a6000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c00058c000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c000858000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe.c00049e000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.3007789626.000000C0005AC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2631370302.000000C0008A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3310532037.000000C000588000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3310893840.000000C000858000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3310009226.000000C00049D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.3005997659.000000C000640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2629519795.000000C000931000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe PID: 5000, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                      Command and Scripting Interpreter                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Install Root Certificate                      		OS Credential Dumping1
                      Query Registry                      		Remote ServicesData from Local System1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Modify Registry                      		LSASS Memory12
                      System Information Discovery                      		Remote Desktop ProtocolData from Removable Media2
                      Non-Application Layer Protocol                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                      DLL Side-Loading                      		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive13
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
                      Ingress Tool Transfer                      		Traffic DuplicationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe55%ReversingLabsWin32.Ransomware.RedLine

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://api.ip.sb/ip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      raw.githubusercontent.com
                      		185.199.110.133
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://raw.githubusercontent.com/EDDYCJY/fake-useragent/v0.2.0/static/fake_useragent_0.2.0.jsonfalse
                          		unknown
                          185.215.113.9:12617true
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://notifyninja.com/monitoringSecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.xn--jobbrse-d1a.com)SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C0001FF000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpfalse
                                		unknown
                                https://api.ip.sb/ipSecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.2631370302.000000C0008A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310532037.000000C000588000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3007789626.000000C0005AC000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C00049D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.3005997659.000000C000640000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000003.2629519795.000000C000931000.00000004.00001000.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://locationInfinityencodingprotobuftype_urlhttp/1.1mac-os-xcomputerNO_PROXYdisabledrequiredoptiSecuriteInfo.com.Win64.Malware-gen.1057.9543.exefalse
                                  		unknown
                                  http://go.mail.ru/help/robots)SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://golang.org/doc/faq#nil_errorcollectedSecuriteInfo.com.Win64.Malware-gen.1057.9543.exefalse
                                      		unknown
                                      http://www.similartech.com/smtbot)SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C000168000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://onsi.github.io/gomega/#adjusting-outputSecuriteInfo.com.Win64.Malware-gen.1057.9543.exefalse
                                          		unknown
                                          https://www.jobboerse.com/bot.htm)SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdcannotSecuriteInfo.com.Win64.Malware-gen.1057.9543.exefalse
                                              		unknown
                                              http://www.brandwatch.net)SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C0001FF000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.google.com/mobile/adsbot.html)SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C000168000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://yandex.com/bots)SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000558000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.google.com/mobile/adsbot.html)Mozilla/5.0SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C000168000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://github.com/golang/protobuf/issues/1609):SecuriteInfo.com.Win64.Malware-gen.1057.9543.exefalse
                                                        		unknown
                                                        http://www.google.com/mobile/adsbot.html)C:SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C000168000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.jobboerse.com/bot.htm)SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C0001FF000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://management.azure.com%qSecuriteInfo.com.Win64.Malware-gen.1057.9543.exefalse
                                                              		unknown
                                                              http://www.icjobs.de)SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3310009226.000000C000470000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.similartech.com/smtbot)Mozilla/5.0SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, 00000000.00000002.3307217031.000000C000168000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://onsi.github.io/gomega/#eventuallySecuriteInfo.com.Win64.Malware-gen.1057.9543.exefalse
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    185.199.110.133
                                                                    		raw.githubusercontent.comNetherlands
                                                                    		54113FASTLYUSfalse

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1537051
                                                                    Start date and time:2024-10-18 14:06:02 +02:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 5m 54s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:5
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                                                                    Detection:MAL
                                                                    Classification:mal92.troj.winEXE@1/1@1/1
                                                                    EGA Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 0
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe, PID 5000 because there are no executed function
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                    • VT rate limit hit for: SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    No simulations

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    185.199.110.133sys_upd.ps1Get hashmaliciousUnknownBrowse
                                                                    • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                    cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                                                                    • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                    cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
                                                                    • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                    cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                    • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                    vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                    • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                    xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                                    • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                    Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                    • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                    cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                    • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                    SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                    • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    raw.githubusercontent.com#U8a02#U55ae#U63cf#U8ff0.vbsGet hashmaliciousFormBookBrowse
                                                                    • 185.199.110.133
                                                                    Z2tJveQl3B.exeGet hashmaliciousUnknownBrowse
                                                                    • 185.199.109.133
                                                                    picturewithgirlsloveoneverydayhii.htaGet hashmaliciousCobalt StrikeBrowse
                                                                    • 185.199.111.133
                                                                    seethebestpciturewithentireworldwiththisnew.tif.vbsGet hashmaliciousUnknownBrowse
                                                                    • 185.199.111.133
                                                                    icreatedbeatufiuldayswithniceworkingskillhere.htaGet hashmaliciousCobalt StrikeBrowse
                                                                    • 185.199.108.133
                                                                    SOA-INV0892024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                    • 185.199.109.133
                                                                    nicetokissthebestthingsiwantotgetmebackwith.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                    • 185.199.108.133
                                                                    SWIFT COPY.xlsGet hashmaliciousRemcosBrowse
                                                                    • 185.199.109.133
                                                                    Orden de Compra No. 434565344657.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                    • 185.199.110.133
                                                                    TNT Receipt_ 09004105.xlsGet hashmaliciousUnknownBrowse
                                                                    • 185.199.109.133

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    FASTLYUS#U8a02#U55ae#U63cf#U8ff0.vbsGet hashmaliciousFormBookBrowse
                                                                    • 185.199.110.133
                                                                    https://eos.atebasyno.com/Jed4ZO4/#Kinfo@pickprotection.comGet hashmaliciousUnknownBrowse
                                                                    • 151.101.194.137
                                                                    Document.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                    • 151.101.194.137
                                                                    Z2tJveQl3B.exeGet hashmaliciousUnknownBrowse
                                                                    • 185.199.109.133
                                                                    picturewithgirlsloveoneverydayhii.htaGet hashmaliciousCobalt StrikeBrowse
                                                                    • 185.199.111.133
                                                                    https://share.nuclino.com/p/Mlanie-BAUDRY-PARTAGER-UN-FICHIER-POUR-RVISION-4ogXl9spWg3RaCX5e3wD3bGet hashmaliciousUnknownBrowse
                                                                    • 151.101.194.137
                                                                    https://bino8-7920.twil.io/index4.htmlGet hashmaliciousUnknownBrowse
                                                                    • 151.101.194.137
                                                                    https://u47461937.ct.sendgrid.net/ls/click?upn=u001.90WJ2x5yie-2F4sdO-2BZ5bb0nufavWldnzsl0KnsmK3hMo-2BHMnWSF3DsxzbvDCWDsdFnegn-2BfWobRZ1kbLGMXgyXcGtyLzQM-2FGP3QHbHRPWVr6D0fLK-2BSNRq-2FVCZMabreIai9D-2BxA6whvHN5s1OqTfwm-2FgZQjeYErjyMYjob5nOcXGpRAG25SYwaNre11j-2BHVoXasoyLNyJtD1tPPwnUAPCOFLp9PDvSbufCeZgma-2FIK98-3Dcm_y_Ukbh-2F8Y2Z4RsyLMh2XL7Wo3yUsBZ9SeqI2Qmy9Bgt19mw9e4WkHPMitoZcq809ebbnmk8C6IJ5c7t29jrnIindsFxuY2R9d234nclZXStC9HmqBttLLojHUGnXdAWF5QJUx33skMns1apjumw9Pw3UfSTdjnlg5PrNNACcyuKpBoq4ETSyFgl4lbha5Mxiy3uArHLEv6ML9dlCYMz2aiMvH1U2BEaexXFmP3HsruDeCB11cOufMst2ySj2lo1MOLQ6aZD-2BJx5wirMGc5AFzol7YsHD-2BfJQUWDmNRvkyRWdsBEj0IMNeL5wqNyxjJ5hFrqTXQmCwpYMQ2bnKr-2BkBvSNUHzpUEqp-2BnPgQfjdKbtF3Z3im1MIzPwzt8NSpo3Gg6TTmqFNZ2ScP-2B7-2FoMepCdwrUSGGaAVc4bnbc7YhyZk1NsGgzWXhuiw5qQURbTlrLrNfUfcY80DFOe7nGqmxieALgNl9N387kxhKpFX-2Fnaawfjy5aLaOcnI1bIrW45QsQlpLgwiJocPCDckAx-2FSSuaxIwXkaLYj-2FPzrmv96ov5y2izrBMhWyBmDCPvZ5WDVvkaVY5wttF199PKn9A3y6nDVW-2BcDvQHCHFjHnYq34GMvKniNSIx5hiSo-2BnAFE75yLesQfb-2FtMOsyAp0aASAHTKj4fiYZ1gy2gQ6aTtm45axQJBOPfoW1XG1ZFy5zgMRuRNvLru7MEMaKlOzOBvYn-2BIMfSSpi7rtbb5t8KWTZg-2Br-2FY0Ad2S34htMKob86jSLvk5Zj3Hait9j-2B0TErriVJ9hutTBGU0IAH7S4LkHhpEYm9x8mvC3Gf2BwyPLHtkXi3HaVRoBV6YloGkBzCRSLnpyl2LhtBuhCV3pZreRfYAQGhh7nnEOGs0Wuw1wnYjV9yfByZ0NgFI-2Bs3XMcHsUMwml5eg-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                                                    • 151.101.65.229
                                                                    http://plankton-app-xfp49.ondigitalocean.appGet hashmaliciousTechSupportScamBrowse
                                                                    • 151.101.66.137
                                                                    https://njanimallaw.com/divorce-family-law/Get hashmaliciousUnknownBrowse
                                                                    • 151.101.2.137

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Temp\fake_useragent_0.2.0.json

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):352779
                                                                    Entropy (8bit):5.438169300269593
                                                                    Encrypted:false
                                                                    SSDEEP:1536:GZRzzVjQQmWeFo+9DXycJv+E+icrYhnu8Je0ia4GL8+b2:8VjQhWAo+9DiYq
                                                                    MD5:0AF58ABD8A3FD21EB8C012A05A58AD0E
                                                                    SHA1:1725C9A836FF1AA112B84CEC370FA973A5E8F7CE
                                                                    SHA-256:12A537681364542407E0E1A7BF52D51B213335F28BF8253A4871C2599FF55602
                                                                    SHA-512:51DCBCD971F9D5A1F4B0967F9F6A277AF0361698D436869C0D167567D5BF4188C6CF3E3BBE1095D9901B9E5524EFC0DB3E59B54A0E8C191EFF40956EBF211002
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:{"android":["Mozilla/5.0 (Linux; Android 6.0.1; SM-J500M Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 7.1.1; SAMSUNG SM-J250M Build/NMF26X) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/7.4 Chrome/59.0.3071.125 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 5.1.1; SAMSUNG SM-J120M Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/6.4 Chrome/56.0.2924.87 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 5.1.1; SM-J120M Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.91 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 6.0.1; SM-J700M Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/192.0.0.34.85;]","Mozilla/5.0 (Linux; Android 7.0; SAMSUNG SM-G930F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/6.2 Chrome/56.0.2924.87 Mobile Safari/537.36","Mozilla/5.0 (Lin

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                    Entropy (8bit):5.93194214066098
                                                                    TrID:
                                                                    • Win64 Executable (generic) (12005/4) 74.95%
                                                                    • Generic Win/DOS Executable (2004/3) 12.51%
                                                                    • DOS Executable Generic (2002/1) 12.50%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                    File name:SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                                                                    File size:20'831'232 bytes
                                                                    MD5:f0ecb0b7a365f88b26f3cb7d5101881a
                                                                    SHA1:09e0740dad05507a1d652995f6eebb3eadddf7b7
                                                                    SHA256:4d97c5998d3d572ebdfbcad5ff324bf33a355fa49f0fbfb2ee8f50af7ccaec49
                                                                    SHA512:a31751a168931d00054ebfce14aaad3cfebb0f465a516ff6e142beb141d50e665f4f5912f25eead41dcd30de0bca4d86c15ed15a8fbe538ca4e75d25c899bf8f
                                                                    SSDEEP:196608:xRoY983hPZdFdpJvbAtqfMmjyS7yKMOW:f/MhP1dPvMSiS7AO
                                                                    TLSH:A0273883E9A549E4C0A9D134C6669222BB717C488F7037D72F60F6682F72BD0AF79354
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$. ....=..L.............@..............................C.....\.>...`... ............................

                                                                    File Icon

                                                                    Icon Hash:0047190f1b190621

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x1400014c0
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x140000000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                    TLS Callbacks:0x40807a00, 0x1, 0x408079d0, 0x1, 0x4080b470, 0x1
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:6
                                                                    OS Version Minor:1
                                                                    File Version Major:6
                                                                    File Version Minor:1
                                                                    Subsystem Version Major:6
                                                                    Subsystem Version Minor:1
                                                                    Import Hash:4a438adb9d59c004dab9ec35016a1405

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    dec eax
                                                                    sub esp, 28h
                                                                    dec eax
                                                                    mov eax, dword ptr [01366155h]
                                                                    mov dword ptr [eax], 00000001h
                                                                    call 00007F02F0B30A4Fh
                                                                    nop
                                                                    nop
                                                                    dec eax
                                                                    add esp, 28h
                                                                    ret
                                                                    nop dword ptr [eax]
                                                                    dec eax
                                                                    sub esp, 28h
                                                                    dec eax
                                                                    mov eax, dword ptr [01366135h]
                                                                    mov dword ptr [eax], 00000000h
                                                                    call 00007F02F0B30A2Fh
                                                                    nop
                                                                    nop
                                                                    dec eax
                                                                    add esp, 28h
                                                                    ret
                                                                    nop dword ptr [eax]
                                                                    dec eax
                                                                    sub esp, 28h
                                                                    call 00007F02F134206Ch
                                                                    dec eax
                                                                    test eax, eax
                                                                    sete al
                                                                    movzx eax, al
                                                                    neg eax
                                                                    dec eax
                                                                    add esp, 28h
                                                                    ret
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    dec eax
                                                                    lea ecx, dword ptr [00000009h]
                                                                    jmp 00007F02F0B30D69h
                                                                    nop dword ptr [eax+00h]
                                                                    ret
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    nop
                                                                    jmp dword ptr [eax]
                                                                    inc edi
                                                                    outsd
                                                                    and byte ptr [edx+75h], ah
                                                                    imul ebp, dword ptr [esp+20h], 203A4449h
                                                                    and cl, byte ptr [ebx+4Eh]
                                                                    inc ebx
                                                                    push esp
                                                                    dec edi
                                                                    outsd
                                                                    dec edx
                                                                    pop edx
                                                                    jc 00007F02F0B30DF3h
                                                                    inc edx
                                                                    pop edx
                                                                    arpl word ptr [di], bp
                                                                    sub eax, 2F6A6139h
                                                                    inc ebp
                                                                    dec edi
                                                                    xor dl, byte ptr [edi+68h]
                                                                    push ecx
                                                                    xor ecx, dword ptr [eax+35h]
                                                                    insb
                                                                    push 00000077h
                                                                    dec ebx
                                                                    xor dword ptr [eax+44h], ebp
                                                                    dec eax
                                                                    pop edx
                                                                    xor al, 2Fh
                                                                    push edi
                                                                    jc 00007F02F0B30DC4h
                                                                    dec esi
                                                                    inc esp
                                                                    arpl word ptr [edi+68h], sp
                                                                    dec eax
                                                                    push ecx
                                                                    dec esi

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x13ef0000x4e.edata
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x13f00000x1438.idata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x13f40000x1719a.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x13680000x30330.pdata
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x140c0000x2cb00.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x1366f800x28.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x13f048c0x450.idata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x811fa00x8120007dc48def8dc10c480d88616a4f3be32dunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .data0x8130000x12ec300x12ee003be6dbdc3f0b8ecc58fcea6d0335a7baFalse0.38807699004333474dBase III DBT, version number 0, next free block index 10, 1st item "iptions\011v1.3.0\011h1:wxQx2Bt4xzPIKvW59WQf1tJNx/ZZKPfN+EhPX3Z6CYY="5.23751921253IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rdata0x9420000xa25dd00xa25e007b3885da04e0d16f5daf459aa6114c5cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                    .pdata0x13680000x303300x30400559b334bed624b83b8a4949da92f2023False0.4006335006476684data5.91790678241677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                    .xdata0x13990000xc600xe00598e535fe607858aac5031bc3f04aed2False0.259765625data4.001905270862839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                    .bss0x139a0000x54a600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .edata0x13ef0000x4e0x200e93218c94904fd210918396bda51b725False0.1328125data0.9168902136227094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
                                                                    .idata0x13f00000x14380x1600801c904561bc77ee780c316f3b158f69False0.29651988636363635data4.45875633652862IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .CRT0x13f20000x700x20018158ec1436c56f046fc93e958a612b8False0.083984375data0.4565349337112152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .tls0x13f30000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x13f40000x1719a0x1720091f95269ea881549ece0b5961991d7e0False0.5112858952702702data5.570600716869345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .reloc0x140c0000x2cb000x2cc00978fc35afb713ff918d8f89c9210271eFalse0.18789280726256982data5.4355841746041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0x13f435c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 26880.2942430703624733
                                                                    RT_ICON0x13f52040x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 11520.43276173285198555
                                                                    RT_ICON0x13f5aac0x568Device independent bitmap graphic, 16 x 32 x 8, image size 3200.5447976878612717
                                                                    RT_ICON0x13f60140x7d04PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced0.9655980502437196
                                                                    RT_ICON0x13fdd180x23ecPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.987603305785124
                                                                    RT_ICON0x14001040x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.08927727916863486
                                                                    RT_ICON0x140432c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.10840248962655602
                                                                    RT_ICON0x14068d40x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 67200.12662721893491125
                                                                    RT_ICON0x140833c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.16017823639774859
                                                                    RT_ICON0x14093e40x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.20942622950819673
                                                                    RT_ICON0x1409d6c0x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 16800.2063953488372093
                                                                    RT_ICON0x140a4240x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.2473404255319149
                                                                    RT_GROUP_ICON0x140a88c0xaedata0.6494252873563219
                                                                    RT_VERSION0x140a93c0x48cPGP symmetric key encrypted data - Plaintext or unencrypted dataEnglishUnited States0.44072164948453607
                                                                    RT_MANIFEST0x140adc80x3d2XML 1.0 document, ASCII text, with very long lines (864)EnglishUnited States0.5398773006134969

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllAddAtomA, AddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
                                                                    msvcrt.dll___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

                                                                    Exports

                                                                    NameOrdinalAddress
                                                                    _cgo_dummy_export10x1413edc90

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Oct 18, 2024 14:06:55.971892118 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:55.971950054 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:55.972146034 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:55.972635031 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:55.972656012 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:56.794853926 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:56.795140028 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:56.795156002 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:56.795173883 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:56.795178890 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:56.796701908 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:56.796802044 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:56.857403040 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:56.857709885 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:56.857904911 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:56.857923985 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:56.905106068 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.024147987 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.024624109 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.024698973 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.024720907 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.025336981 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.025398970 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.025407076 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.027084112 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.027148008 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.027156115 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.027261019 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.027338028 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.027344942 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.074687958 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.074697971 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.120326996 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.141160011 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.142003059 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.142100096 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.142117977 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.142379045 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.142610073 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.142618895 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.143975973 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.144057035 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.144279003 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.144292116 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.144407034 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.144849062 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.145733118 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.145807981 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.145818949 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.146569967 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.146653891 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.146655083 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.146681070 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.146763086 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.146820068 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.195175886 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.261929035 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.261961937 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.261977911 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.262022018 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.262039900 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.262099028 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.262130976 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.262146950 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.262154102 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.262200117 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.412254095 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.412266970 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.412312031 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.412373066 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.412398100 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.412429094 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.412451029 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.416903019 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.416918993 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.417001963 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.417020082 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.417063951 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.420258045 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.420272112 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.420372963 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.420389891 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.420433044 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.424909115 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.424926043 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.424984932 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.425005913 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.425048113 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.526886940 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.526912928 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.527062893 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.527097940 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.527148008 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.530591011 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.530607939 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.530683041 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.530704975 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.530745029 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.534348011 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.534363031 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.534425020 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.534445047 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.534487009 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.537420034 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.537434101 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.537489891 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.537507057 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.537554026 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.540389061 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.540407896 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.540462017 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.540478945 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.540498018 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.540513039 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.543299913 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.543318987 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.543406010 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.543428898 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.543467999 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.546022892 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.546039104 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.546092033 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.546112061 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.546155930 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.644789934 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.644809961 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.644957066 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.644994974 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.645041943 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.647551060 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.647566080 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.647659063 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.647676945 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.647716999 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.650902033 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.650918007 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.651009083 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.651029110 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.651079893 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.652813911 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.652827978 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.652908087 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.652925968 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.652970076 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.655071020 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.655086040 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.655164003 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.655180931 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.655229092 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.657962084 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.657974958 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.658056021 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.658077002 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.658127069 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.659765959 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.659781933 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.659859896 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.659876108 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.659914970 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.660635948 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.660700083 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.660710096 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.660726070 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.660768986 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.703675032 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.720855951 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.720884085 CEST44349704185.199.110.133192.168.2.5
                                                                    Oct 18, 2024 14:06:57.720889091 CEST49704443192.168.2.5185.199.110.133
                                                                    Oct 18, 2024 14:06:57.720896959 CEST44349704185.199.110.133192.168.2.5

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Oct 18, 2024 14:06:55.920861959 CEST6380553192.168.2.51.1.1.1
                                                                    Oct 18, 2024 14:06:55.928643942 CEST53638051.1.1.1192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Oct 18, 2024 14:06:55.920861959 CEST192.168.2.51.1.1.10x5b70Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Oct 18, 2024 14:06:55.928643942 CEST1.1.1.1192.168.2.50x5b70No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                    Oct 18, 2024 14:06:55.928643942 CEST1.1.1.1192.168.2.50x5b70No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                    Oct 18, 2024 14:06:55.928643942 CEST1.1.1.1192.168.2.50x5b70No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                    Oct 18, 2024 14:06:55.928643942 CEST1.1.1.1192.168.2.50x5b70No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • raw.githubusercontent.com

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.549704185.199.110.1334435000C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-10-18 12:06:56 UTC168OUTGET /EDDYCJY/fake-useragent/v0.2.0/static/fake_useragent_0.2.0.json HTTP/1.1
                                                                    Host: raw.githubusercontent.com
                                                                    User-Agent: Go-http-client/1.1
                                                                    Accept-Encoding: gzip
                                                                    2024-10-18 12:06:57 UTC902INHTTP/1.1 200 OK
                                                                    Connection: close
                                                                    Content-Length: 352779
                                                                    Cache-Control: max-age=300
                                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                    Content-Type: text/plain; charset=utf-8
                                                                    ETag: "cf88b0307ffa57ea34824ae5e33bbccf2f72386f6d729239b3f25bda3a055865"
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    X-Content-Type-Options: nosniff
                                                                    X-Frame-Options: deny
                                                                    X-XSS-Protection: 1; mode=block
                                                                    X-GitHub-Request-Id: 3762:203184:4D9D16:55DAA7:67124F56
                                                                    Accept-Ranges: bytes
                                                                    Date: Fri, 18 Oct 2024 12:06:56 GMT
                                                                    Via: 1.1 varnish
                                                                    X-Served-By: cache-dfw-kdal2120061-DFW
                                                                    X-Cache: MISS
                                                                    X-Cache-Hits: 0
                                                                    X-Timer: S1729253217.922579,VS0,VE40
                                                                    Vary: Authorization,Accept-Encoding,Origin
                                                                    Access-Control-Allow-Origin: *
                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                    X-Fastly-Request-ID: 9859133a618a49cbe265ffabbb551a4f69def0d9
                                                                    Expires: Fri, 18 Oct 2024 12:11:56 GMT
                                                                    Source-Age: 0
                                                                    2024-10-18 12:06:57 UTC1378INData Raw: 7b 22 61 6e 64 72 6f 69 64 22 3a 5b 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 36 2e 30 2e 31 3b 20 53 4d 2d 4a 35 30 30 4d 20 42 75 69 6c 64 2f 4d 4d 42 32 39 4d 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 35 35 2e 30 2e 32 38 38 33 2e 39 31 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 37 2e 31 2e 31 3b 20 53 41 4d 53 55 4e 47 20 53 4d 2d 4a 32 35 30 4d 20 42 75 69 6c 64 2f 4e 4d 46 32 36 58 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b
                                                                    Data Ascii: {"android":["Mozilla/5.0 (Linux; Android 6.0.1; SM-J500M Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 7.1.1; SAMSUNG SM-J250M Build/NMF26X) AppleWebKit/537.36 (KHTML, like Geck
                                                                    2024-10-18 12:06:57 UTC1378INData Raw: 65 63 6b 6f 29 20 53 61 6d 73 75 6e 67 42 72 6f 77 73 65 72 2f 37 2e 32 20 43 68 72 6f 6d 65 2f 35 39 2e 30 2e 33 30 37 31 2e 31 32 35 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 37 2e 30 3b 20 4d 6f 74 6f 20 47 20 28 35 29 20 50 6c 75 73 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 37 30 2e 30 2e 33 35 33 38 2e 38 30 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 36 2e 30 2e 31 3b 20 53 4d 2d 4a 35 30 30 4d 20 42 75 69 6c 64 2f 4d 4d 42 32
                                                                    Data Ascii: ecko) SamsungBrowser/7.2 Chrome/59.0.3071.125 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 7.0; Moto G (5) Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 6.0.1; SM-J500M Build/MMB2
                                                                    2024-10-18 12:06:57 UTC1378INData Raw: 32 39 4d 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 53 61 6d 73 75 6e 67 42 72 6f 77 73 65 72 2f 36 2e 32 20 43 68 72 6f 6d 65 2f 35 36 2e 30 2e 32 39 32 34 2e 38 37 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 38 2e 30 2e 30 3b 20 53 4d 2d 47 39 33 30 46 20 42 75 69 6c 64 2f 52 31 36 4e 57 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 36 39 2e 30 2e 33 34 39 37 2e 31 30 30 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35
                                                                    Data Ascii: 29M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/6.2 Chrome/56.0.2924.87 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36","Mozilla/5
                                                                    2024-10-18 12:06:57 UTC1378INData Raw: 20 47 65 63 6b 6f 29 20 53 61 6d 73 75 6e 67 42 72 6f 77 73 65 72 2f 37 2e 34 20 43 68 72 6f 6d 65 2f 35 39 2e 30 2e 33 30 37 31 2e 31 32 35 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 38 2e 30 2e 30 3b 20 41 4e 45 2d 4c 58 33 20 42 75 69 6c 64 2f 48 55 41 57 45 49 41 4e 45 2d 4c 58 33 3b 20 77 76 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 56 65 72 73 69 6f 6e 2f 34 2e 30 20 43 68 72 6f 6d 65 2f 36 39 2e 30 2e 33 34 39 37 2e 31 30 30 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41
                                                                    Data Ascii: Gecko) SamsungBrowser/7.4 Chrome/59.0.3071.125 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 8.0.0; ANE-LX3 Build/HUAWEIANE-LX3; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36","Mozilla/5.0 (Linux; A
                                                                    2024-10-18 12:06:57 UTC1378INData Raw: 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 36 2e 30 2e 31 3b 20 4e 65 78 75 73 20 35 20 42 75 69 6c 64 2f 4d 52 41 35 38 4e 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 36 39 2e 30 2e 33 34 36 34 2e 30 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 20 43 68 72 6f 6d 65 2d 4c 69 67 68 74 68 6f 75 73 65 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 37 2e 30 3b 20 54 52 54 2d 4c 58 33 20 42 75 69 6c 64 2f 48 55 41 57 45 49 54 52 54 2d 4c 58 33 3b 20 77 76 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c
                                                                    Data Ascii: 37.36","Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MRA58N) AppleWebKit/537.36(KHTML, like Gecko) Chrome/69.0.3464.0 Mobile Safari/537.36 Chrome-Lighthouse","Mozilla/5.0 (Linux; Android 7.0; TRT-LX3 Build/HUAWEITRT-LX3; wv) AppleWebKit/537.36 (KHTML,
                                                                    2024-10-18 12:06:57 UTC1378INData Raw: 38 2e 38 30 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 37 2e 31 2e 31 3b 20 4d 6f 74 6f 20 47 20 28 35 53 29 20 50 6c 75 73 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 37 30 2e 30 2e 33 35 33 38 2e 38 30 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 37 2e 31 2e 31 3b 20 53 4d 2d 4a 35 31 30 4d 4e 20 42 75 69 6c 64 2f 4e 4d 46 32 36 58 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47
                                                                    Data Ascii: 8.80 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 7.1.1; Moto G (5S) Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 7.1.1; SM-J510MN Build/NMF26X) AppleWebKit/537.36 (KHTML, like G
                                                                    2024-10-18 12:06:57 UTC1378INData Raw: 68 72 6f 6d 65 2f 36 39 2e 30 2e 33 34 39 37 2e 31 30 30 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 36 2e 30 2e 31 3b 20 53 41 4d 53 55 4e 47 20 53 4d 2d 47 39 30 30 46 20 42 75 69 6c 64 2f 4d 4d 42 32 39 4d 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 53 61 6d 73 75 6e 67 42 72 6f 77 73 65 72 2f 34 2e 30 20 43 68 72 6f 6d 65 2f 34 34 2e 30 2e 32 34 30 33 2e 31 33 33 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 38 2e 30 2e 30 3b 20 46 49 47 2d 4c 58 33 20 42
                                                                    Data Ascii: hrome/69.0.3497.100 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-G900F Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/4.0 Chrome/44.0.2403.133 Mobile Safari/537.36","Mozilla/5.0 (Linux; Android 8.0.0; FIG-LX3 B
                                                                    2024-10-18 12:06:57 UTC1378INData Raw: 31 3b 20 53 41 4d 53 55 4e 47 20 53 4d 2d 47 35 33 32 4d 20 42 75 69 6c 64 2f 4d 4d 42 32 39 54 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 53 61 6d 73 75 6e 67 42 72 6f 77 73 65 72 2f 36 2e 34 20 43 68 72 6f 6d 65 2f 35 36 2e 30 2e 32 39 32 34 2e 38 37 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 55 3b 20 41 6e 64 72 6f 69 64 20 34 2e 32 2e 32 3b 20 64 65 2d 64 65 3b 20 47 54 2d 49 38 32 30 30 4e 20 42 75 69 6c 64 2f 4a 44 51 33 39 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 34 2e 33 30 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 56 65 72 73 69 6f 6e 2f 34 2e 30 20 4d
                                                                    Data Ascii: 1; SAMSUNG SM-G532M Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/6.4 Chrome/56.0.2924.87 Mobile Safari/537.36","Mozilla/5.0 (Linux; U; Android 4.2.2; de-de; GT-I8200N Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 M
                                                                    2024-10-18 12:06:57 UTC1378INData Raw: 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 36 2e 30 2e 31 3b 20 53 4d 2d 4a 35 30 30 4d 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 37 30 2e 30 2e 33 35 33 38 2e 38 30 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 55 3b 20 41 6e 64 72 6f 69 64 20 32 2e 33 2e 31 3b 20 65 6e 2d 75 73 3b 20 4d 49 44 20 42 75 69 6c 64 2f 47 49 4e 47 45 52 42 52 45 41 44 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 33 2e 31 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 56 65 72 73 69 6f 6e 2f
                                                                    Data Ascii: fari/537.36","Mozilla/5.0 (Linux; Android 6.0.1; SM-J500M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36","Mozilla/5.0 (Linux; U; Android 2.3.1; en-us; MID Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/
                                                                    2024-10-18 12:06:57 UTC1378INData Raw: 3b 20 77 76 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 56 65 72 73 69 6f 6e 2f 34 2e 30 20 43 68 72 6f 6d 65 2f 36 39 2e 30 2e 33 34 39 37 2e 31 30 30 20 4d 6f 62 69 6c 65 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 20 5b 46 42 5f 49 41 42 2f 46 42 34 41 3b 46 42 41 56 2f 31 39 31 2e 30 2e 30 2e 33 35 2e 39 36 3b 5d 22 2c 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 4c 69 6e 75 78 3b 20 41 6e 64 72 6f 69 64 20 36 2e 30 2e 31 3b 20 53 4d 2d 47 35 33 32 4d 20 42 75 69 6c 64 2f 4d 4d 42 32 39 54 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 36 35 2e 30 2e 33 33 32 35 2e 31 30 39 20 4d 6f
                                                                    Data Ascii: ; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/69.0.3497.100 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/191.0.0.35.96;]","Mozilla/5.0 (Linux; Android 6.0.1; SM-G532M Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.109 Mo


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:08:06:54
                                                                    Start date:18/10/2024
                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.1057.9543.exe"
                                                                    Imagebase:0x7ff7216e0000
                                                                    File size:20'831'232 bytes
                                                                    MD5 hash:F0ECB0B7A365F88B26F3CB7D5101881A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.3007789626.000000C0005AC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.2631370302.000000C0008A6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.3310532037.000000C000588000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.3005308576.000000C0006B8000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.3310893840.000000C000858000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.3005069060.000000C000750000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.3310009226.000000C00049D000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.3075843578.000000C003266000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.3005997659.000000C000640000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.2629519795.000000C000931000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.3074488765.000000C0032A6000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                    • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2631370302.000000C000900000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                    • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000002.3312288498.000000C001D00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_GoInjector_2, Description: Yara detected Go Injector, Source: 00000000.00000000.2051979895.00007FF722506000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                    Reputation:low
                                                                    Has exited:false

                                                                    Disassembly

                                                                    No disassembly