Edit tour

Windows Analysis Report
Z4uyrnCQ8L.exe

Overview

General Information

Sample name:	Z4uyrnCQ8L.exe renamed because original name is a hash value
Original sample name:	e43b8d566ab55de4ac14f99de4f6ba08a46676c5a67db582fdc620132f5fc083.exe
Analysis ID:	1554431
MD5:	0569e3de597c7271e9a24ddeb0ca9a33
SHA1:	9c9b90bcc0d307b516405fd92c8d1c6777f6ad53
SHA256:	e43b8d566ab55de4ac14f99de4f6ba08a46676c5a67db582fdc620132f5fc083
Tags:	4-251-123-83exeuser-JAMESWT_MHT
Infos:

Detection

Meduza Stealer, PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Meduza Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Z4uyrnCQ8L.exe (PID: 7840 cmdline: "C:\Users\user\Desktop\Z4uyrnCQ8L.exe" MD5: 0569E3DE597C7271E9A24DDEB0CA9A33)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "4.251.123.83:6677"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Z4uyrnCQ8L.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
Z4uyrnCQ8L.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Z4uyrnCQ8L.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Z4uyrnCQ8L.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c17:$s1: file:/// 0x45b4f:$s2: {11111-22222-10009-11112} 0x45ba7:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c29:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000000.1427111807.00000000004C2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000000.1427111807.00000000004C2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.1504294368.000000000295D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Z4uyrnCQ8L.exe PID: 7840	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: Z4uyrnCQ8L.exe PID: 7840	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Z4uyrnCQ8L.exe PID: 7840	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c17:$s1: file:/// 0x45b4f:$s2: {11111-22222-10009-11112} 0x45ba7:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c29:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:51:32.543261+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.10	49703	TCP
2024-11-12T14:52:13.167799+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.10	49313	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:51:20.366269+0100	2046056	1	A Network Trojan was detected	4.251.123.83	6677	192.168.2.10	49702	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:51:19.869445+0100	2046045	1	A Network Trojan was detected	192.168.2.10	49702	4.251.123.83	6677	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Z4uyrnCQ8L.exe

Avira: detected

Found malware configuration

Source: Z4uyrnCQ8L.exe.7840.1.memstrmin

Malware Configuration Extractor: RedLine {"C2 url": "4.251.123.83:6677"}

Multi AV Scanner detection for submitted file

Source: Z4uyrnCQ8L.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Z4uyrnCQ8L.exe

Joe Sandbox ML: detected

Source: Z4uyrnCQ8L.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Z4uyrnCQ8L.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.10:49702 -> 4.251.123.83:6677
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 4.251.123.83:6677 -> 192.168.2.10:49702

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 4.251.123.83:6677

Source: global traffic

TCP traffic: 192.168.2.10:49702 -> 4.251.123.83:6677

Source: Joe Sandbox View

ASN Name: LEVEL3US LEVEL3US

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.10:49313
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.10:49703

Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83

Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1520127512.000000001BEAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldbH equals www.youtube.com (Youtube)
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1517030101.000000001B8D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002E83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002E83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldbH equals www.youtube.com (Youtube)

Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.000000000295D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1Response
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.000000000295D000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2Response
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.000000000295D000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3Response
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.000000000295D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Z4uyrnCQ8L.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: Z4uyrnCQ8L.exe, Strings.cs

Large array initialization: Strings: array initializer size 6160

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7BFF8A530	1_2_00007FF7BFF8A530
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7C00E16B6	1_2_00007FF7C00E16B6
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7C00D8EF9	1_2_00007FF7C00D8EF9
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7C00D6776	1_2_00007FF7C00D6776
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7C00E25EA	1_2_00007FF7C00E25EA
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7C00F9390	1_2_00007FF7C00F9390
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7BFF8A591	1_2_00007FF7BFF8A591

Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.000000000295D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Z4uyrnCQ8L.exe
Source: Z4uyrnCQ8L.exe, 00000001.00000000.1427111807.000000000054E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGristles.exe" vs Z4uyrnCQ8L.exe
Source: Z4uyrnCQ8L.exe	Binary or memory string: OriginalFilenameGristles.exe" vs Z4uyrnCQ8L.exe

Source: Z4uyrnCQ8L.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Z4uyrnCQ8L.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: Z4uyrnCQ8L.exe, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Z4uyrnCQ8L.exe, Class4.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Z4uyrnCQ8L.exe, Class4.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

File created: C:\Users\user\AppData\Local\Microsoft\Wind?ws

Jump to behavior

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

Mutant created: NULL

Source: Z4uyrnCQ8L.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Z4uyrnCQ8L.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Z4uyrnCQ8L.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Z4uyrnCQ8L.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Z4uyrnCQ8L.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Z4uyrnCQ8L.exe, Class4.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: Z4uyrnCQ8L.exe

Static PE information: 0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7BFEB00BD pushad ; iretd	1_2_00007FF7BFEB00C1
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7BFEB5CB0 push edi; iretd	1_2_00007FF7BFEB5CB6
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7BFEB63EE push ss; retf	1_2_00007FF7BFEB63EF
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7BFF82004 pushad ; retf	1_2_00007FF7BFF82005
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7BFF8DCE8 pushad ; ret	1_2_00007FF7BFF8DCE9
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Code function: 1_2_00007FF7BFF8CD09 pushad ; iretd	1_2_00007FF7BFF8CD69

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: \QEMU-GA.EXE

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Memory allocated: EB0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Memory allocated: 1A8B0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Window / User API: threadDelayed 2524			Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Window / User API: threadDelayed 1528			Jump to behavior

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe TID: 8060	Thread sleep time: -15679732462653109s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe TID: 7884	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1517266303.000000001B8E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.000000001298B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Queries volume information: C:\Users\user\Desktop\Z4uyrnCQ8L.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Z4uyrnCQ8L.exe, 00000001.00000002.1518085385.000000001BD90000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: Z4uyrnCQ8L.exe PID: 7840, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Z4uyrnCQ8L.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1427111807.00000000004C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: Z4uyrnCQ8L.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1427111807.00000000004C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z4uyrnCQ8L.exe PID: 7840, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: Z4uyrnCQ8L.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: hieplnfojfccegoloniefimmbfjdgcgp\|Electrum
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCashE#
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: mhonjhhcgphdphdjcdoeodfdliikapmj\|Jaxx Liberty
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: idkppnahnmmggbmfkjhiakkbkdpnmnon\|Exodus
Source: Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: Z4uyrnCQ8L.exe, 00000001.00000000.1427111807.00000000004C2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\Z4uyrnCQ8L.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior

Source: Yara match	File source: 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1504294368.000000000295D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z4uyrnCQ8L.exe PID: 7840, type: MEMORYSTR

Remote Access Functionality

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: Z4uyrnCQ8L.exe PID: 7840, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Z4uyrnCQ8L.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1427111807.00000000004C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: Z4uyrnCQ8L.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.1427111807.00000000004C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z4uyrnCQ8L.exe PID: 7840, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: Z4uyrnCQ8L.exe, type: SAMPLE
Source: Yara match	File source: 1.0.Z4uyrnCQ8L.exe.4c0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Z4uyrnCQ8L.exe	63%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
Z4uyrnCQ8L.exe	100%	Avira	TR/AD.RedLineSteal.zieqc
Z4uyrnCQ8L.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
4.251.123.83:6677	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
4.251.123.83:6677	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com/api/v9/users/	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field1Response	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.000000000295D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ip.sb/ip	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/sc	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.w3.oh	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.000000000295D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field1	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/envelope/	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field2	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field3	Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/06/addressingex	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field3Response	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.000000000295D000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CD6000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.0000000012CF7000.00000004.00000800.00020000.00000000.sdmp, Z4uyrnCQ8L.exe, 00000001.00000002.1509908034.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2002/12/policy	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext	Z4uyrnCQ8L.exe, 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
4.251.123.83	unknown	United States		3356	LEVEL3US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554431
Start date and time:	2024-11-12 14:50:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Z4uyrnCQ8L.exe renamed because original name is a hash value
Original Sample Name:	e43b8d566ab55de4ac14f99de4f6ba08a46676c5a67db582fdc620132f5fc083.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Z4uyrnCQ8L.exe

Simulations

Behavior and APIs

Time	Type	Description
08:51:21	API Interceptor	19x Sleep call for process: Z4uyrnCQ8L.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
4.251.123.83	file.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEVEL3US	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	65.90.191.211
	sora.arm.elf	Get hash	malicious	Mirai	Browse	4.98.147.155
	DEMASI-24-12B DOC. SCAN.exe	Get hash	malicious	GuLoader, Remcos	Browse	4.150.155.223
	amen.arm6.elf	Get hash	malicious	Mirai	Browse	7.167.215.90
	amen.x86.elf	Get hash	malicious	Mirai	Browse	11.22.83.104
	amen.arm.elf	Get hash	malicious	Unknown	Browse	6.17.53.0
	zgp.elf	Get hash	malicious	Mirai	Browse	9.168.203.84
	amen.m68k.elf	Get hash	malicious	Unknown	Browse	7.229.51.211
	amen.sh4.elf	Get hash	malicious	Mirai	Browse	8.91.25.183
	amen.spc.elf	Get hash	malicious	Mirai	Browse	65.59.28.22

Process:	C:\Users\user\Desktop\Z4uyrnCQ8L.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2611
Entropy (8bit):	5.363358188931451
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkafHKWA1eXrHKlT48BHK7HKmTHlHNW:iq+wmj0qCYqGSI6oPtzHeqKkGqhA7qZR
MD5:	CEA017D10C4D437981D19F21660A47FA
SHA1:	61AAFCECB5325DE172857CEF7C7E1F230F73AFFD
SHA-256:	60B099420455DECD1878FE84F217CFE478BA0BA5E6E574077150D08355A1DD96
SHA-512:	413384BF9D2EDC9BC2DF6D5175D09A33B91CCF9C53FE3CB21892CB57AF4FD8A9BE0608E9BCA57AF4A7F2709A4C110148719DA3210460DF433CFD77FA753B9CF8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.18018123915167
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Z4uyrnCQ8L.exe
File size:	743'424 bytes
MD5:	0569e3de597c7271e9a24ddeb0ca9a33
SHA1:	9c9b90bcc0d307b516405fd92c8d1c6777f6ad53
SHA256:	e43b8d566ab55de4ac14f99de4f6ba08a46676c5a67db582fdc620132f5fc083
SHA512:	fe8ddb3f313470a1ec1cbcbf32696ba51031b74cc86d3dea1d35aacbbbb59f20ed7ddd0a34c5d7d97d33ba412427d520f40150db4a2fd5f448fa35f9c723163b
SSDEEP:	12288:6D6YDzqx5XBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4QiAzojgJQ:6D6Y3qx51NLXA
TLSH:	ABF4701C5BBC058CEC8CD531BE20C9326EA04E08919FCB49A569FA151EB6277B3F5BD1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	0e9696961617e982

Static PE Info

General

Entrypoint:	0x44d0ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4d098	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x6a022	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4b0f4	0x4b200	a476ce29ddbb44b4bea011f9a2cb5195	False	0.41800774750415975	data	6.528658897737541	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4e000	0x6a022	0x6a200	65e4195d76e2641b30f5c060426a53b1	False	0.04090059997055359	data	3.4733020781588206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	3a13fecd19ca9773d82cc3855bc1b8eb	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4e2b0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	0.019047548598988075
RT_ICON	0x902d8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.03903939429788241
RT_ICON	0xa0b00	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.0580460374185411
RT_ICON	0xa9fa8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.08243992606284659
RT_ICON	0xaf430	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.0987836561171469
RT_ICON	0xb3658	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.14284232365145227
RT_ICON	0xb5c00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.22537523452157598
RT_ICON	0xb6ca8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.30901639344262294
RT_ICON	0xb7630	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.4530141843971631
RT_GROUP_ICON	0xb7a98	0x84	data	0.7196969696969697
RT_VERSION	0xb7b1c	0x31c	data	0.4535175879396985
RT_MANIFEST	0xb7e38	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T14:51:19.869445+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.10	49702	4.251.123.83	6677	TCP
2024-11-12T14:51:20.366269+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	4.251.123.83	6677	192.168.2.10	49702	TCP
2024-11-12T14:51:32.543261+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.10	49703	TCP
2024-11-12T14:52:13.167799+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.10	49313	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 14:51:19.027868986 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:19.032712936 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:19.032821894 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:19.035084963 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:19.039947033 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:19.852816105 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:19.869445086 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:19.875272036 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.107214928 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.125823021 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:20.131987095 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366159916 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366173983 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366185904 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366247892 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:20.366269112 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366282940 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366293907 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366307020 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366318941 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366333961 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:20.366365910 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:20.366483927 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366496086 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366537094 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:20.366771936 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366782904 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.366844893 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:20.371237040 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.424025059 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:20.482865095 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.482878923 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.482892036 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.482919931 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:20.482952118 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.482996941 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:20.483160973 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.483174086 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.483184099 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:20.483210087 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:20.533427000 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.783246040 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.788220882 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.788265944 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.788281918 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.788291931 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.788299084 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.788307905 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.788319111 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.788327932 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.788336992 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.788358927 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.788360119 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.788372040 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.788381100 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.788393974 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.788436890 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.793221951 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793231964 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793248892 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793267965 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793278933 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793284893 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.793322086 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.793337107 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.793348074 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793378115 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793402910 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793418884 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793423891 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.793454885 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.793461084 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793471098 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.793510914 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793519020 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.793557882 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.793622017 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.793678999 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.798352003 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798407078 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.798434973 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798527002 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.798542023 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798609018 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798619032 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798621893 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.798666954 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.798773050 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798783064 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798791885 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798824072 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.798825026 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798835993 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798861027 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798919916 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.798980951 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.798989058 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.799005985 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.799016953 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.799041986 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.799057007 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.803392887 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803410053 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803456068 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.803479910 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803489923 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803513050 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803523064 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803534985 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.803551912 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803560972 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.803569078 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803607941 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803617954 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803626060 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803630114 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.803649902 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803669930 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.803673029 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803683043 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.803683996 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803704023 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.803750038 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.803781986 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803792000 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803801060 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803809881 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803824902 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803834915 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803877115 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803888083 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803905964 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803915024 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803941965 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803950071 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803966045 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803977013 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.803998947 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804008007 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804042101 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804059029 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804068089 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804124117 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804135084 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804143906 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804161072 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804169893 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804187059 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804195881 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804238081 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804246902 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804280996 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804291010 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804306984 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804316044 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804358006 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804367065 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804382086 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.804403067 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804414988 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804431915 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804442883 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804445028 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.804518938 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804528952 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804538012 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804548025 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804564953 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804574013 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804582119 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804591894 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.804603100 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.808845043 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.808856964 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.808952093 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.808969975 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809062004 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809084892 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809174061 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809262991 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809395075 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809412956 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809556007 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809600115 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809669971 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809751987 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809876919 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809886932 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.809994936 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810003996 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810048103 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810089111 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810190916 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810201883 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810231924 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810241938 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810280085 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810364962 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810375929 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810389996 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810408115 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810472012 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810489893 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810497999 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810514927 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810524940 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810539961 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810549974 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810561895 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810602903 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.810631037 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810642004 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810652971 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810663939 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.810667038 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810694933 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810743093 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810753107 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810761929 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810771942 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810784101 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810817957 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810868979 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810878038 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810895920 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810935974 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810945034 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810956001 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.810992002 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811002016 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811028004 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811037064 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811077118 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811085939 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811127901 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811136961 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811161995 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811172009 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811213970 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811331034 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811342001 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811352968 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811606884 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811651945 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811707020 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811754942 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811815023 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811825991 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811847925 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811865091 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811911106 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811969042 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.811980009 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.812019110 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.812061071 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.815594912 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.815610886 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.815619946 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.815638065 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.815929890 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.815948963 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.815989971 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.815990925 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816001892 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816030025 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816143990 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816176891 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816236973 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816246033 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816314936 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816373110 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816423893 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816433907 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816474915 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816484928 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816529989 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816539049 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816574097 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816584110 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816637993 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816648006 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816684008 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816747904 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816757917 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816766977 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816787004 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816797018 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816812038 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816821098 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816838026 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816848040 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816898108 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816907883 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816940069 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816948891 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.816989899 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817027092 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817047119 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817056894 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817095995 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817107916 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817125082 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817133904 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817178965 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817188025 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817231894 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817240953 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817256927 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817310095 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.817318916 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.820977926 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821121931 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821132898 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821181059 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.821198940 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821209908 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821264029 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.821294069 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821305037 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821321964 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821331024 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821397066 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821407080 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821454048 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821496964 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821547031 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821567059 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821705103 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821734905 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821836948 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821866035 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821919918 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821928978 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.821991920 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822001934 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822073936 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822083950 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822187901 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822205067 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822241068 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822257996 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822310925 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822319984 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822330952 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822365046 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822375059 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822382927 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822412968 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822483063 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822513103 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822563887 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822619915 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822644949 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822738886 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822793007 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822802067 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822810888 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822851896 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822861910 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822870970 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822880983 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822897911 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822907925 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822916031 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.822926998 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826103926 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826217890 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826227903 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826318979 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.826379061 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.826389074 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826406002 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826442957 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826452971 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826534986 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826561928 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826630116 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826673985 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826720953 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826824903 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826894045 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826931000 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.826941013 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827016115 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827150106 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827159882 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827168941 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827178001 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827253103 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827263117 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827271938 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827281952 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827291012 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827301979 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827444077 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827491999 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827567101 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827577114 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827615976 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827701092 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827836990 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827847004 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827888012 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827898026 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827939034 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827949047 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827965021 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827981949 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.827991962 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.828048944 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.828058958 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.828069925 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.828093052 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.828103065 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.828206062 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.828214884 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.828241110 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.828311920 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.828321934 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.828353882 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831188917 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831342936 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831368923 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831423044 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.831510067 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.831523895 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831537008 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831579924 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831595898 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831669092 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831681013 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831739902 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831779957 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831804991 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831834078 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831892014 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831901073 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831984997 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.831994057 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.832043886 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.832072020 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.832123041 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.832160950 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.832206964 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.861551046 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.866503000 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.866770983 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.866863966 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.866863966 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.866921902 CET	49702	6677	192.168.2.10	4.251.123.83
Nov 12, 2024 14:51:23.872356892 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872369051 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872380972 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872390985 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872409105 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872417927 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872694016 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872703075 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872711897 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872720957 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872730970 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872740984 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872750044 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872819901 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.872828960 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:23.906358957 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:24.640218973 CET	6677	49702	4.251.123.83	192.168.2.10
Nov 12, 2024 14:51:24.652049065 CET	49702	6677	192.168.2.10	4.251.123.83

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 14:51:34.760117054 CET	53	60877	1.1.1.1	192.168.2.10

Target ID:	1
Start time:	08:51:15
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\Z4uyrnCQ8L.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Z4uyrnCQ8L.exe"
Imagebase:	0x4c0000
File size:	743'424 bytes
MD5 hash:	0569E3DE597C7271E9A24DDEB0CA9A33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.1504294368.0000000002944000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000000.1427111807.00000000004C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.1427111807.00000000004C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1504294368.000000000295D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF7BFF8A530 Relevance: 4.6, Strings: 2, Instructions: 2107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FF7BFF8B63A
H, xrefs: 00007FF7BFF8A538

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID: H$H
API String ID: 0-136785262
Opcode ID: 1cb3bafafd07dbfa5faab2f353a88072e0d8b9006773bab73c1ba8acb6481a29
Instruction ID: c4e4c834d7821dc5b7a00ccff20ea3c72384b86cdc495d25179bff440bbb788c
Opcode Fuzzy Hash: 1cb3bafafd07dbfa5faab2f353a88072e0d8b9006773bab73c1ba8acb6481a29
Instruction Fuzzy Hash: 33D2A130B1CA498FD798EB2CC495669B7E2FF99741B4446BEE05EC32A6CE34EC418741

Function 00007FF7C00E16B6 Relevance: 3.8, Strings: 1, Instructions: 2536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

S, xrefs: 00007FF7C00E2981

Memory Dump Source

Source File: 00000001.00000002.1523529629.00007FF7C00D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c00d0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID: S
API String ID: 0-543223747
Opcode ID: fff820315ad46596a8fcd650d80b20ea583716491c97f220497c09fda98e4864
Instruction ID: 0aedf37b969eee064773d1f22d4de1275be568bf6f3c1a294a60bf47043a6566
Opcode Fuzzy Hash: fff820315ad46596a8fcd650d80b20ea583716491c97f220497c09fda98e4864
Instruction Fuzzy Hash: 4A238770A1892D8FDFA8EF18C895BA9B7B1FB68301F5041EA900DE3651CF756A81CF54

Function 00007FF7C00D6776 Relevance: 2.1, Strings: 1, Instructions: 896
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@B/, xrefs: 00007FF7C00D5F21

Memory Dump Source

Source File: 00000001.00000002.1523529629.00007FF7C00D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c00d0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID: @B/
API String ID: 0-3863299084
Opcode ID: 9e87a68ddbbd06e11d7d11f71f15568a8559b6b21db8e840c9801e336baf1ca1
Instruction ID: 6c6c81afa81452d876f7f693080d33192c050516d5685195dbd9ae45de8e4dbd
Opcode Fuzzy Hash: 9e87a68ddbbd06e11d7d11f71f15568a8559b6b21db8e840c9801e336baf1ca1
Instruction Fuzzy Hash: A772EB70918A298FDB99EF18C8997A8B7B1FF58311F5141E9D00EE7296CB34A9C0CF51

Function 00007FF7C00E25EA Relevance: 1.8, Strings: 1, Instructions: 571
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

S, xrefs: 00007FF7C00E2981

Memory Dump Source

Source File: 00000001.00000002.1523529629.00007FF7C00D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c00d0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID: S
API String ID: 0-543223747
Opcode ID: 25fc60fa8348f09887b7661f7479b0313f614762d1eb2945a6e14e2532bebc0b
Instruction ID: a9f063aa972f277b46f81a1f99dd97aeb8ec84f308b742104d1cd08f92ca0a03
Opcode Fuzzy Hash: 25fc60fa8348f09887b7661f7479b0313f614762d1eb2945a6e14e2532bebc0b
Instruction Fuzzy Hash: 74328870A1492D8FDFA8EF18C895BA9B7B1FB68305F5041EA900DE3651DB35AE81CF40

Function 00007FF7BFF8A591 Relevance: 1.1, Instructions: 1132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ce235a31f95093666bcaa041fb5c8b68e454e4df045769a7359996f25bd07f
Instruction ID: 3fc15eeb1a77fed835dd68d0de29530ac3ccac142447f6073c8e246f7dba2f50
Opcode Fuzzy Hash: 83ce235a31f95093666bcaa041fb5c8b68e454e4df045769a7359996f25bd07f
Instruction Fuzzy Hash: B7727E3071C94A8FDB98EB2CD495A68F3E1FFA9700B4545B9E15EC72A6CE24FC418781

Function 00007FF7C00D8EF9 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1523529629.00007FF7C00D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c00d0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01527dcf170931b45c9f683d540249158bbe1d6344d790b8949981684ab1e6b4
Instruction ID: 71f2fbc1ce0ecaa107fce25bee2109a69288e205ef18fee8b08cd2e7e1cd6522
Opcode Fuzzy Hash: 01527dcf170931b45c9f683d540249158bbe1d6344d790b8949981684ab1e6b4
Instruction Fuzzy Hash: 7002987091892D8FDB98EF18C895BE9B7B2FB98301F5042E9D00DE3295DF356A818F54

Function 00007FF7BFF8C6E2 Relevance: 1.7, Strings: 1, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ZM_H, xrefs: 00007FF7BFF8C9CF

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID: ZM_H
API String ID: 0-3096618608
Opcode ID: d9cea511d8e25c6cd5911f673acdf713de3e1ba23f8050655e0e083a06d7d5cc
Instruction ID: 764ea0360e392050966208c963ca396ae4a351095de2ce57225cc273673f7f1f
Opcode Fuzzy Hash: d9cea511d8e25c6cd5911f673acdf713de3e1ba23f8050655e0e083a06d7d5cc
Instruction Fuzzy Hash: 3CE1AE70B1CE498FD798EB2CD459668B7E1FF99311B4502BAE04EC72A6DE24EC018781

Function 00007FF7C00DBB21 Relevance: 1.7, APIs: 1, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE ref: 00007FF7C00DBC2A

Memory Dump Source

Source File: 00000001.00000002.1523529629.00007FF7C00D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c00d0000_Z4uyrnCQ8L.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 592ca0bce23309ff0ed26f565113905fa0965df233372316268713794bd307c1
Instruction ID: e0891c9391e179caec484777dcae03de7773fa08990696ad0731fbf74a563a90
Opcode Fuzzy Hash: 592ca0bce23309ff0ed26f565113905fa0965df233372316268713794bd307c1
Instruction Fuzzy Hash: 6241BF31908B1C8FDB58EF58D8466EDBBE1FB99320F04426AD04DD7246CB74A985CBC1

Function 00007FF7C00D0DD9 Relevance: 1.6, APIs: 1, Instructions: 118
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateCompatibleBitmap.GDI32 ref: 00007FF7C00D0E7A

Memory Dump Source

Source File: 00000001.00000002.1523529629.00007FF7C00D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c00d0000_Z4uyrnCQ8L.jbxd

Similarity

API ID: BitmapCompatibleCreate
String ID:
API String ID: 1901715728-0
Opcode ID: 434fe76be3493b626c394279057e9e5e99b7f33cee304629c8ecfeb7e0108cec
Instruction ID: b63d8ecbf8a2e726dfdfda2a5806e188419b295db52ccb313958319ca57d3c16
Opcode Fuzzy Hash: 434fe76be3493b626c394279057e9e5e99b7f33cee304629c8ecfeb7e0108cec
Instruction Fuzzy Hash: 6C31083191CA4C4FDB1CAB6898066F9BBE4EB55321F00427FD04AC3252CA6568468B81

Function 00007FF7C00D5239 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteDC.GDI32 ref: 00007FF7C00D52C7

Memory Dump Source

Source File: 00000001.00000002.1523529629.00007FF7C00D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c00d0000_Z4uyrnCQ8L.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: b6157aed4e0216155c91d769d9e3931a58a274d9a9d907a7feec56d076d6af68
Instruction ID: 60cb81dbc0b71b4d82a20cab9d48d2090a622b9a0c9a76f7c529bd569a47e569
Opcode Fuzzy Hash: b6157aed4e0216155c91d769d9e3931a58a274d9a9d907a7feec56d076d6af68
Instruction Fuzzy Hash: C121043190CA4C8FDB58EFA8844A7F9BBE0EF96321F04826FD049C7253CA749546CB91

Function 00007FF7C00DB165 Relevance: 1.6, APIs: 1, Instructions: 101
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FF7C00DB1DF

Memory Dump Source

Source File: 00000001.00000002.1523529629.00007FF7C00D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c00d0000_Z4uyrnCQ8L.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 10f6f8eabd162756159458fae72b903ea1c67dc9f394bf0f882fd8d7bed4773b
Instruction ID: 0bc97db6cab8d14db17a275eb0997bd8d7fdbb1e7d5d5552145ff2e2ade396a4
Opcode Fuzzy Hash: 10f6f8eabd162756159458fae72b903ea1c67dc9f394bf0f882fd8d7bed4773b
Instruction Fuzzy Hash: 67316D30918B8C8FEB54DF1CD8457A8BBD1FB99320F14826AE40DC7252CB75E841CB92

Function 00007FF7BFF8D9CA Relevance: 1.4, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FF7BFF8DA72

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 46a7515e8ba8eb6897c2b38fa465dc4981e676f15fdf0c391ebb29d4a3a21bbe
Instruction ID: 8f4a33b71d3f4e5ec351d7c2a12f06bbe7455817a625444833edd3defeb67799
Opcode Fuzzy Hash: 46a7515e8ba8eb6897c2b38fa465dc4981e676f15fdf0c391ebb29d4a3a21bbe
Instruction Fuzzy Hash: C4315270718D0D8FDB98EB1CD459B68B3D2FF9871175542AAA05EC72A6CF24EC42CB81

Function 00007FF7BFEB7D58 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4164af639191089f3786225106826c2fa3d91dcc68603742df7d8d24d7a05cfa
Instruction ID: c244e71f792acc8d2466f61f72286726e2d8e407f70d1b08134672e58d421fc7
Opcode Fuzzy Hash: 4164af639191089f3786225106826c2fa3d91dcc68603742df7d8d24d7a05cfa
Instruction Fuzzy Hash: 8FD1F670A0895D8FDB95EB288895BE8B7F1FF59351F5042E9E00DD2692CF34AA81CF41

Function 00007FF7BFEB3299 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c386884dfc8ca11fb48f943c58f9f0c6483f07e6a930965b76eb4623874e1f
Instruction ID: 89c9cd3a76f02f99e5281455a6ed7c6613a09a362163a0cf936895f581811d79
Opcode Fuzzy Hash: 82c386884dfc8ca11fb48f943c58f9f0c6483f07e6a930965b76eb4623874e1f
Instruction Fuzzy Hash: E1C13A70D08A598FDB99EB58C8957F8B7B1FFA9311F5042BAD00DE7286CB346981CB50

Function 00007FF7BFEB0F47 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b277cb5a7247bac2a262c9d49889a200b08dcae01b7f8098a227b5f0f94f5641
Instruction ID: 6c88364f3eb2db696eb5c5536373cdfffe2d4c6fa91e05fa6896cb567c1ea463
Opcode Fuzzy Hash: b277cb5a7247bac2a262c9d49889a200b08dcae01b7f8098a227b5f0f94f5641
Instruction Fuzzy Hash: 5ED15474A04A1D8FDB94EB18C898BA8B7F5FF69311F5441E9E50DE7265CA30AE81CF40

Function 00007FF7BFEB0E10 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58ffa8a8e6cfe6e58405d01aca53c64cc4012663bde1674cb8f8629d7ffaff6
Instruction ID: 81bdb935179ff6343ec1e524f6a77db28dab7db2749265cee10b3d2d342132da
Opcode Fuzzy Hash: a58ffa8a8e6cfe6e58405d01aca53c64cc4012663bde1674cb8f8629d7ffaff6
Instruction Fuzzy Hash: B5B19770905A5D8FDB98EB58C898BA9B7B5FF59310F5042E9E00DE7265CA34AE81CF40

Function 00007FF7BFEB1EDE Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9057020b568bd6ca5da27f11cd47003c22ab9203ff1384953749d19b7daca2e8
Instruction ID: 42de13ffcbbfa28d0f09064fc26d57ca0d00db27c14d06c16f8bf137abc90c81
Opcode Fuzzy Hash: 9057020b568bd6ca5da27f11cd47003c22ab9203ff1384953749d19b7daca2e8
Instruction Fuzzy Hash: 20B12D30908A598FDBA9EB58C895BA8B3B1FF59710F5001F9E10DD7295CB34AE81CF40

Function 00007FF7BFEB251D Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c55b373cc970494cfb7e6b97c07ea23745cc73a90a0e2e33a88d5dfb255558
Instruction ID: dda07cb62401d1e7e2016b1af1b8b285d17548457009e44ba1be395cd5640593
Opcode Fuzzy Hash: 56c55b373cc970494cfb7e6b97c07ea23745cc73a90a0e2e33a88d5dfb255558
Instruction Fuzzy Hash: FB913C3290D5D21EF302BBBCA8B15F97B90EF52334F4843BAE18C8A4D7DD18645683A5

Function 00007FF7BFF8BD6C Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bfa3271a603d921edbeb2850e33adc74387f898c38183d7478f861ab346369
Instruction ID: 41a4cabe3dec10040b0db9525f18582592a3c5ecef9770cc977443fa275efe86
Opcode Fuzzy Hash: 18bfa3271a603d921edbeb2850e33adc74387f898c38183d7478f861ab346369
Instruction Fuzzy Hash: 22710C7070CA888FD758DB1CD455665BBE1FF9A71074501EEE54AC72A7CE20EC42C781

Function 00007FF7BFEB2FF0 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc98f8b52f849dccc2d9d4887917d58eb0a8ed7e4beeed4531a2f9cb5868ed0
Instruction ID: 0b36f3d08beacb68520c7a77496a46070013b68875641b4a0b71085741d92913
Opcode Fuzzy Hash: fdc98f8b52f849dccc2d9d4887917d58eb0a8ed7e4beeed4531a2f9cb5868ed0
Instruction Fuzzy Hash: 6C91A130A0CA8A8FDB48DB6C94946FDB7E2FFD9754F44027AE44EE3296CE3468018751

Function 00007FF7BFEB2E90 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5827c16675d609f4aa01d3976d98e94f39be805a8088217dbd96c707c466c4d
Instruction ID: 73126375a36b29e5a15c9a64f025170a85ac30bdc36e6c49729cb25caddd8161
Opcode Fuzzy Hash: f5827c16675d609f4aa01d3976d98e94f39be805a8088217dbd96c707c466c4d
Instruction Fuzzy Hash: A091D830A0895D8FDB95EB9CC895BECB7E1FF69311F500269E00DE7296CE35A881CB51

Function 00007FF7BFEB15D0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e882ee8f2d424efe8c3426151527aa04971719b4a6adae25bb9e96280e6b9131
Instruction ID: 7a50733313de8594610ef567b2b1377d5c3fd20c0551416dfe2801faf7632d5c
Opcode Fuzzy Hash: e882ee8f2d424efe8c3426151527aa04971719b4a6adae25bb9e96280e6b9131
Instruction Fuzzy Hash: 5EA17574A09A598FDB99EB58C894BA8B7F5FF59300F5041E9E00EE7255CB34AE81CF40

Function 00007FF7BFF8A211 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa76f1399bde3f366e8846f376259275c475f750f177d3103fbf367bd3ada453
Instruction ID: 06ec84dafa00d58e14fc1afc039496b034ca39aabfc3c9f4d4e909a863d5e4d3
Opcode Fuzzy Hash: aa76f1399bde3f366e8846f376259275c475f750f177d3103fbf367bd3ada453
Instruction Fuzzy Hash: 1561B470B0DA898FD759EB6C84556A8F7E1FF56310B4402BEE09EC7197DE28AC41C781

Function 00007FF7BFF8D1B8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf6027df1c440ae8088898872b3b6941d5ba7c9bbd69e45e8b610accfe913e3
Instruction ID: 269843fd33d113492e64247146406f5752d20a2e7aa679dcbbb629a9b2425e6c
Opcode Fuzzy Hash: faf6027df1c440ae8088898872b3b6941d5ba7c9bbd69e45e8b610accfe913e3
Instruction Fuzzy Hash: B2511A3070CA498FD748DB2D9855664B7D2FF9A31075501EEE45EC72A3CE24EC128795

Function 00007FF7BFEB1F71 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef0e4107efcb3b4c1e686c1a14655637f0e155641258348977655d1de8623a1
Instruction ID: 332c3727a67d0328b0be181efa78b6f7377d9620b6b2ccd4143fec9024264c3a
Opcode Fuzzy Hash: 2ef0e4107efcb3b4c1e686c1a14655637f0e155641258348977655d1de8623a1
Instruction Fuzzy Hash: E9917970A05A198FDB99EB58C894BA8B7F5FF59301F5041E9E00DE7265CB74AE81CF40

Function 00007FF7BFF8C07C Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e83ca29774401bbae1c927f22a53066c37e6d51e1230e11da22a55eff5ccd73
Instruction ID: 2d571dd72016b99eabe0ce4498ff27272329ed771c490336cca6186e90b6bb2f
Opcode Fuzzy Hash: 4e83ca29774401bbae1c927f22a53066c37e6d51e1230e11da22a55eff5ccd73
Instruction Fuzzy Hash: D351017171DA898FD785EB6C8855668BBE1FF56310B0402BEE04EC72A3DE38AC45C781

Function 00007FF7BFEB1E4F Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddd3c6c9ffce5f24e57e4cabaa788d95a2412996896590363979c5321b3cd56
Instruction ID: ffbcc156da69cc50670c5da44eeae5baa7e11ccbaeff3311f94a61a15cb565b3
Opcode Fuzzy Hash: eddd3c6c9ffce5f24e57e4cabaa788d95a2412996896590363979c5321b3cd56
Instruction Fuzzy Hash: 3481B930909A198FDBA9EB58C894BA8B7F5FF59711F5001E9E00DE7265CB34AE81CF40

Function 00007FF7BFF8C074 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ecdfe269851c71e50e3f2f00e6365a25f0ddb1e1f2ed861f6b671c91adf88f
Instruction ID: 3d0ce3358e6e84160ab5505df18b7f2724d039be942be28dda83658c1511699e
Opcode Fuzzy Hash: 80ecdfe269851c71e50e3f2f00e6365a25f0ddb1e1f2ed861f6b671c91adf88f
Instruction Fuzzy Hash: 1D51037170EA898FD745EB7C8855668BBE1FF5631070502FAE04EC72A3DE28AC41C791

Function 00007FF7BFF8C4CA Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895a03757dfee004f7529ec6f0aabb06202531e6e3085c7a192311f6221dcd69
Instruction ID: 03be627ef26a80ccd26aee6230b563c9681ab8d01c4eb5d7848868dc2eac6ab2
Opcode Fuzzy Hash: 895a03757dfee004f7529ec6f0aabb06202531e6e3085c7a192311f6221dcd69
Instruction Fuzzy Hash: 23511771B0DA894FD759EB2C9859664BBE1FF6672074502FEE05EC71A7CD24AC02C390

Function 00007FF7BFF8031D Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f513fbc48d6953b16a0e7045440ffa96e2de2826a4abb2f6db62a7eeaef590b3
Instruction ID: 3005693984dac3eb761acb85c6009331ffbe577247bf476b6dbcef6b60301e09
Opcode Fuzzy Hash: f513fbc48d6953b16a0e7045440ffa96e2de2826a4abb2f6db62a7eeaef590b3
Instruction Fuzzy Hash: 86415931A0DAC98FD755AB2C88592A57BE1EF67321B4806FBD04DC72E3C928A805C391

Function 00007FF7BFF81BB8 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9005e602b75e786cc08804ad59af4bdfb7c947a34971d3f6191315474348d7ad
Instruction ID: 4c06924b0725cbeeae4a32a5a49437aede3edd321ef1e0b8f13163b5d9f3df5a
Opcode Fuzzy Hash: 9005e602b75e786cc08804ad59af4bdfb7c947a34971d3f6191315474348d7ad
Instruction Fuzzy Hash: 5341E120B0C9498FEB98E72CD4597B477D1EF9A312F5002BAE15EC76E6CD28EC428740

Function 00007FF7BFF822EE Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877f1174088384e4360164318194aa5e01cf2ac7a7eadb655b35eb33a8e1da67
Instruction ID: ce061ff619943099e606402394fa84f3121be50b658997fe373e16b1a0891eeb
Opcode Fuzzy Hash: 877f1174088384e4360164318194aa5e01cf2ac7a7eadb655b35eb33a8e1da67
Instruction Fuzzy Hash: 4741E330B0C9898FEB98E72C94597B877D1EF9A311F5001BEE14EC76E6CD28AC418350

Function 00007FF7BFF8C32C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5a7082fe6a58f28202019c59310eacbc2262899d7681338e83c5bd8a93c398
Instruction ID: 3711c14d7785f911b04b6ab725c061144f01f96db438667292ae6371c2ccc5e0
Opcode Fuzzy Hash: 7f5a7082fe6a58f28202019c59310eacbc2262899d7681338e83c5bd8a93c398
Instruction Fuzzy Hash: 92418F7071CE0D8FDB98EB1CD455B68B3E1FF99711B5102AAE15EC32A6CE21EC428781

Function 00007FF7BFF8C604 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9842cce0b8765746514953e267be8cee06c5203416082c692780852dbe564c
Instruction ID: 1bd114308212d40e7f945cd11d15459612a17fc74b807feca4f6a9815f749c49
Opcode Fuzzy Hash: fb9842cce0b8765746514953e267be8cee06c5203416082c692780852dbe564c
Instruction Fuzzy Hash: 8641B070B0CA498FD759EB2CD4A5664B7E1FF96310B4502FAE04EC72E7CE24A8028791

Function 00007FF7BFEB0A52 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ee05778981f981fc403951f04acd8510a8624cff1f2d645ecd564e41042477
Instruction ID: e4a391828b6c9a248d1430db7aa15cdf7286076a315d10f2a2e773a1f8f210cc
Opcode Fuzzy Hash: a5ee05778981f981fc403951f04acd8510a8624cff1f2d645ecd564e41042477
Instruction Fuzzy Hash: D1417C70C18E598EE784DF58C8A87A97BE1FBAA718F50026EC108D77DACBB52414CB40

Function 00007FF7BFEB30D0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9de3ad87722b88cb9660a123282e7f669ff58329188cd2735349cade1f5b190
Instruction ID: 5c3015dbeeb3b90cfd6713c0867f7420351ee17a69b01abcd1dd1ea568a98b81
Opcode Fuzzy Hash: a9de3ad87722b88cb9660a123282e7f669ff58329188cd2735349cade1f5b190
Instruction Fuzzy Hash: 2D219F31E0894E8FDB44DF6D98882FDB7A2FBD9711F14426AE50DE324ADB3458018791

Function 00007FF7BFF8C52D Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c965646c9cedc35f34cc9734c396ddb185cf12a301e71d1e18e5add0312303
Instruction ID: 6611e38f780b27767baa1e587999589b87e3223f4606b697c7b1c431f0e703a1
Opcode Fuzzy Hash: 49c965646c9cedc35f34cc9734c396ddb185cf12a301e71d1e18e5add0312303
Instruction Fuzzy Hash: A0217F70B19A898FD798EB2C8495268F7E2FF95711B4502BAE05EC7296CE38EC418744

Function 00007FF7BFEB275D Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f351bbf92081013c2b23a0302a2676cbdee8794acaf727ef7c9a63dc41f6d663
Instruction ID: 27a9c1722a3bb37b1131db7fe6d08f34b4c43878f2b3d6723f3d859dcc588b1d
Opcode Fuzzy Hash: f351bbf92081013c2b23a0302a2676cbdee8794acaf727ef7c9a63dc41f6d663
Instruction Fuzzy Hash: 0421AF30A1998A8FE789FB6884A56F9B7A0FF95304F8006B9F50DC61D3CE34B4508B51

Function 00007FF7BFF804FD Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f4d4d800000f3faf32a945578c83586f9e5ac205680ee93264e1ffc3d68ecb
Instruction ID: 9bcc22735aa7ec210cff24f2caec52f0c88e93a4321609c6259bc045fc750397
Opcode Fuzzy Hash: 81f4d4d800000f3faf32a945578c83586f9e5ac205680ee93264e1ffc3d68ecb
Instruction Fuzzy Hash: F711C470B0CA858FD789E72C9465278B7D1FF99711B5501BEE04DC72A6CE24AC428716

Function 00007FF7BFF806E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c2d5be10ee58cab6424516c0d251a0b3778438f71391c8af304c4d2771e0a7
Instruction ID: 58943c3df4573050ed4046211e3788a42361dc1ef401b79997f675a785824845
Opcode Fuzzy Hash: c2c2d5be10ee58cab6424516c0d251a0b3778438f71391c8af304c4d2771e0a7
Instruction Fuzzy Hash: ED11E770A1D9459FD3449B2C8015228B7D1FF99711B59026DF15DC36A2CE34EC028749

Function 00007FF7BFF82119 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ced0a52b2721074c5043ef3e0471485ac23948add2dd5393c011da36d34f52
Instruction ID: d7eedc86074e3a741546ce2455c46fbc98b5dd94f8bbf35920bbb87bbc4fd884
Opcode Fuzzy Hash: 08ced0a52b2721074c5043ef3e0471485ac23948add2dd5393c011da36d34f52
Instruction Fuzzy Hash: BB119E7070D9499FD788EB2C8459334B7D2FF98311B58016EE01EC72A2CF74AC528785

Function 00007FF7BFEB31A0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886494c3787577a758bfbf121ccb4d0ca4503e6ca69ac94f17d36481e563648b
Instruction ID: 53c908d98257e3508f084e5e42472b313a7c46a71f8bd5551aeb8347a13b67ae
Opcode Fuzzy Hash: 886494c3787577a758bfbf121ccb4d0ca4503e6ca69ac94f17d36481e563648b
Instruction Fuzzy Hash: 1311C670A0D68D5FD306EBB898A52A9BBB0FF85304F4402FBE049C24D7CE346955C7A1

Function 00007FF7BFEB07AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c190a3747976759b060102dfb172457b03610c43184698b09ea30293d752c6
Instruction ID: 03e5e4ed4cd5b3eeaa124e6b06f6a21e23ccc163f0d2adf9052c8f1ad7c66da0
Opcode Fuzzy Hash: c7c190a3747976759b060102dfb172457b03610c43184698b09ea30293d752c6
Instruction Fuzzy Hash: F711E96280E5C54AE31276FC68E51F9BB50EF93624F9842B7F298850DBDD08754983A2

Function 00007FF7BFEB0D01 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379a23d5417828ac19b7e92ea89d0b26c0855b044b8367f1061ee624ed64ffc5
Instruction ID: 6fef6da5007d6bcda70203d449b0c6a9ce85f93fd6648dea2e48e28ad7ebd13e
Opcode Fuzzy Hash: 379a23d5417828ac19b7e92ea89d0b26c0855b044b8367f1061ee624ed64ffc5
Instruction Fuzzy Hash: 2401D2709099899FE785BB6884AA3F8FBA0FF55210F8003BAE209C60D3DE387550CB41

Function 00007FF7BFEB2CDD Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6ca41baa19a0bea5091edcc6b5af9fa9c7c39314989e625e2b6fb2fcb91261
Instruction ID: 236a65ca3d9064b6d1988170c9977e798d42a7d741d80ceb00e981ed055c51f8
Opcode Fuzzy Hash: 7d6ca41baa19a0bea5091edcc6b5af9fa9c7c39314989e625e2b6fb2fcb91261
Instruction Fuzzy Hash: 7011C83190C6CD8FDB46EF68C8686E9BFB0FF66304F4401EAD449C7092DA399545CB11

Function 00007FF7BFF807CE Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522441451.00007FF7BFF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFF80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bff80000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e314261de64a788c9d858182a0eb5ce33cfc5c4249d00ddf7390f31419274974
Instruction ID: 9820be3c8c31a3303db7616a1dc65f1dc0a9d2c07d95209edef5b7bec21be550
Opcode Fuzzy Hash: e314261de64a788c9d858182a0eb5ce33cfc5c4249d00ddf7390f31419274974
Instruction Fuzzy Hash: 7E11C83060DD858FDB95F72CC458A68BBE1EF56701B9801ADE04EC3196CB24EC81C785

Function 00007FF7BFEB3775 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b46727152c815e348a15b80e45d2759015e665c47c507188499382c80e0df0c
Instruction ID: cb8f19f46a3e90907b591f8eb91566b04e9cb1e849d88dbf00ff3ca665978654
Opcode Fuzzy Hash: 6b46727152c815e348a15b80e45d2759015e665c47c507188499382c80e0df0c
Instruction Fuzzy Hash: 9F015E70908A4D8FDF84EF58C899AEE7BF0FF69300F0005AAD418C72A1D7309554CB80

Function 00007FF7BFEB2EE0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5e84e7bd4f2f726cfb9682333a6453245c8fd51e2ea92037eed8c68fe77874
Instruction ID: b3ee917e5b2a8bd9776c629bddfa0ebf07c39f4456cb70f8dc867b3b79380abd
Opcode Fuzzy Hash: 1d5e84e7bd4f2f726cfb9682333a6453245c8fd51e2ea92037eed8c68fe77874
Instruction Fuzzy Hash: 0901C870914A4D9FDF84EF58C849AEE77F0FB68305F10066AA419D3250DB70A590CB80

Function 00007FF7BFEB2FA8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc93be2e0a2eb67f13774e3d19dbf7e89c87bc2ee9d0f6507e93ca36e57a076
Instruction ID: 324692bbc98434dbc8492938053f10cc156d51c45c9c4044a417582e209fd326
Opcode Fuzzy Hash: 6fc93be2e0a2eb67f13774e3d19dbf7e89c87bc2ee9d0f6507e93ca36e57a076
Instruction Fuzzy Hash: 58018870954A4D9FDF84EF58C849AEA77F0FB68305F10066AA419D3264DB30A594CB81

Function 00007FF7BFEB21F9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2aba43a923ae0ee5d9fc0d7f7b243e520a33b788069f02bdea0ccf40758f74
Instruction ID: 2972305c4c38d950317b8df09c8f39f0818b8bd3c82406b5c0460fe3c96be113
Opcode Fuzzy Hash: 2e2aba43a923ae0ee5d9fc0d7f7b243e520a33b788069f02bdea0ccf40758f74
Instruction Fuzzy Hash: 1301EC70918A8D8FCB85EF68C8586A97BB0FF59300F4505EAE41CD72A2D7349954CB11

Function 00007FF7BFEB2F08 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ace556aab2559984b8c923ae11ccf20a5d6d272b2fa67b1b7287bc36adef1c
Instruction ID: d89f7220f6d6525590aab16d4a682d59b2f22c0f0ce5401d67a4c60ea5c7133f
Opcode Fuzzy Hash: 24ace556aab2559984b8c923ae11ccf20a5d6d272b2fa67b1b7287bc36adef1c
Instruction Fuzzy Hash: E201A47091494D8FDF84EF98C888AFABBF0FB68305F50056AA41DD3254DB30A690CB80

Function 00007FF7BFEB3790 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77a023a40af83e4ea4463d8b5eaff3adbc513b90f1af34f6a8cd0098f95a9c4
Instruction ID: dea79e44c2e6876da4dd9c861faa1333138d21f6e2c61229bc22842921509fe6
Opcode Fuzzy Hash: a77a023a40af83e4ea4463d8b5eaff3adbc513b90f1af34f6a8cd0098f95a9c4
Instruction Fuzzy Hash: 0201EC7091491D8FDF84EF58C848AEEBBF0FF68305F00056AE419D3260DB709694CB80

Function 00007FF7BFEB0D99 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375f87a57465957cc3dc60f5aff7d4f322e5739edab1dc8129e93dd7982d1ed1
Instruction ID: 672cc8899b3c1bd64e583faf55ba378b26a2362a04e4369c6034eb0413a2639d
Opcode Fuzzy Hash: 375f87a57465957cc3dc60f5aff7d4f322e5739edab1dc8129e93dd7982d1ed1
Instruction Fuzzy Hash: 3DF0C27190E6CD9FD351AB6888982E8BFB0FF56220F4402EBE208C70D3DA397594C751

Function 00007FF7BFEB2D68 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70848422f649c27b0fc384900d54b18261b26823793b9bb1643c533f3df120a1
Instruction ID: 666893cfabc870afec6b0ff8dd10d4ad6e36239bade54b6aa0001984ca00ea8d
Opcode Fuzzy Hash: 70848422f649c27b0fc384900d54b18261b26823793b9bb1643c533f3df120a1
Instruction Fuzzy Hash: 13F03A3491898C9FDF95EFA8C498AE9BBA0FF69305F4401AAE409C2591DB319A94CB40

Function 00007FF7BFEB2D70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f631dfc460940ae2d237ce6e5c3ff05752ce5ff5b53ecfd3da359df54efca32e
Instruction ID: 73471d9a80601acc01d13dbc562b131ef9d8545e8daa3d8778e91e2557282fcb
Opcode Fuzzy Hash: f631dfc460940ae2d237ce6e5c3ff05752ce5ff5b53ecfd3da359df54efca32e
Instruction Fuzzy Hash: C2F01C3091494C9FDF84EFA8C498AE9BBF0FF69305F4041AAE40DC3190DB31A694CB40

Function 00007FF7BFEB0875 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1522055241.00007FF7BFEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7BFEB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7bfeb0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee6b4c5f3937228fda68fc0e2cfc092e51c619dd90515970398f1755d17a0ab
Instruction ID: 7941fdc5b91b2e3ea13edd1a69efe548d6df45b86ee4b7f46dc09873c6d7c6bb
Opcode Fuzzy Hash: dee6b4c5f3937228fda68fc0e2cfc092e51c619dd90515970398f1755d17a0ab
Instruction Fuzzy Hash: 2CE0C02184D7C94EE75363AC59A11F97B70AFA3504F8A02A3F688C64D7991879288772

Non-executed Functions

Function 00007FF7C00F9390 Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1523529629.00007FF7C00D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff7c00d0000_Z4uyrnCQ8L.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4ef6c9b48d16e52162fbeab459b8eafb34abf4d35878d1d965df422f493e86
Instruction ID: fc7e3cfab3757517f6b621357339456e135641fdb3bfc89035ed8531b9e9a347
Opcode Fuzzy Hash: ce4ef6c9b48d16e52162fbeab459b8eafb34abf4d35878d1d965df422f493e86
Instruction Fuzzy Hash: 3F020531E0C65A4BE7A87B28605527AF6C1FF45774FA5017EE4CEC62C2DF19B84283A1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Z4uyrnCQ8L.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Z4uyrnCQ8L.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Z4uyrnCQ8L.exe

Function 00007FF7BFF8A530 Relevance: 4.6, Strings: 2, Instructions: 2107
COMMON

Function 00007FF7C00E16B6 Relevance: 3.8, Strings: 1, Instructions: 2536
COMMON

Function 00007FF7C00D6776 Relevance: 2.1, Strings: 1, Instructions: 896
COMMON

Function 00007FF7C00E25EA Relevance: 1.8, Strings: 1, Instructions: 571
COMMON

Function 00007FF7BFF8A591 Relevance: 1.1, Instructions: 1132
COMMON

Function 00007FF7BFF8C6E2 Relevance: 1.7, Strings: 1, Instructions: 480
COMMON

Function 00007FF7C00DBB21 Relevance: 1.7, APIs: 1, Instructions: 166
fileCOMMON

Function 00007FF7C00D0DD9 Relevance: 1.6, APIs: 1, Instructions: 118
windowCOMMON

Function 00007FF7C00D5239 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Function 00007FF7C00DB165 Relevance: 1.6, APIs: 1, Instructions: 101
fileCOMMON

Function 00007FF7BFF8D9CA Relevance: 1.4, Strings: 1, Instructions: 133
COMMON