Edit tour

Windows Analysis Report
j7movK82QT.exe

Overview

General Information

Sample name:	j7movK82QT.exe renamed because original name is a hash value
Original sample name:	ae4f6a70db219c382719464a54540963ed92aa942dcd9b09c3f255a22e0074ef.exe
Analysis ID:	1554432
MD5:	4dfea649105e2f2d2fa1ba873f38fbb4
SHA1:	c1421ba2baa3774fea5de3c10f943f3345225364
SHA256:	ae4f6a70db219c382719464a54540963ed92aa942dcd9b09c3f255a22e0074ef
Tags:	4-251-123-83exeRedLineStealeruser-JAMESWT_MHT
Infos:

Detection

Meduza Stealer, PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Meduza Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

j7movK82QT.exe (PID: 2148 cmdline: "C:\Users\user\Desktop\j7movK82QT.exe" MD5: 4DFEA649105E2F2D2FA1BA873F38FBB4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "4.251.123.83:6677"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
j7movK82QT.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
j7movK82QT.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
j7movK82QT.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
j7movK82QT.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c1f:$s1: file:/// 0x45b57:$s2: {11111-22222-10009-11112} 0x45baf:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c31:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000000.1438726216.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000000.1438726216.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1524678221.000000000316D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: j7movK82QT.exe PID: 2148	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: j7movK82QT.exe PID: 2148	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: j7movK82QT.exe PID: 2148	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.j7movK82QT.exe.da0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.j7movK82QT.exe.da0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.j7movK82QT.exe.da0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.0.j7movK82QT.exe.da0000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c1f:$s1: file:/// 0x45b57:$s2: {11111-22222-10009-11112} 0x45baf:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c31:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:51:36.620226+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.11	49706	TCP
2024-11-12T14:52:16.634060+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.11	64973	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:51:25.227623+0100	2046056	1	A Network Trojan was detected	4.251.123.83	6677	192.168.2.11	49705	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:51:24.656472+0100	2046045	1	A Network Trojan was detected	192.168.2.11	49705	4.251.123.83	6677	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: j7movK82QT.exe

Avira: detected

Found malware configuration

Source: j7movK82QT.exe.2148.0.memstrmin

Malware Configuration Extractor: RedLine {"C2 url": "4.251.123.83:6677"}

Multi AV Scanner detection for submitted file

Source: j7movK82QT.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: j7movK82QT.exe

Joe Sandbox ML: detected

Source: j7movK82QT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: j7movK82QT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.11:49705 -> 4.251.123.83:6677
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 4.251.123.83:6677 -> 192.168.2.11:49705

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 4.251.123.83:6677

Source: global traffic

TCP traffic: 192.168.2.11:49705 -> 4.251.123.83:6677

Source: Joe Sandbox View

ASN Name: LEVEL3US LEVEL3US

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.11:64973
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.11:49706

Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83

Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: j7movK82QT.exe, 00000000.00000002.1534387786.000000001C0CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldbBF/ equals www.youtube.com (Youtube)
Source: j7movK82QT.exe, 00000000.00000002.1524678221.000000000373F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: j7movK82QT.exe, 00000000.00000002.1524678221.000000000373F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldbH equals www.youtube.com (Youtube)

Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: j7movK82QT.exe, 00000000.00000002.1524678221.000000000316D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp, j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp, j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1Response
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp, j7movK82QT.exe, 00000000.00000002.1524678221.000000000316D000.00000004.00000800.00020000.00000000.sdmp, j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2Response
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3
Source: j7movK82QT.exe, 00000000.00000002.1524678221.000000000316D000.00000004.00000800.00020000.00000000.sdmp, j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3Response
Source: j7movK82QT.exe, 00000000.00000002.1524678221.000000000339A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: j7movK82QT.exe, 00000000.00000002.1524678221.000000000339A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\j7movK82QT.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: j7movK82QT.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.j7movK82QT.exe.da0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: j7movK82QT.exe, Strings.cs

Large array initialization: Strings: array initializer size 6160

Source: j7movK82QT.exe, 00000000.00000002.1524678221.000000000316D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs j7movK82QT.exe
Source: j7movK82QT.exe, 00000000.00000000.1438726216.0000000000E2E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGristles.exe" vs j7movK82QT.exe
Source: j7movK82QT.exe	Binary or memory string: OriginalFilenameGristles.exe" vs j7movK82QT.exe

Source: j7movK82QT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: j7movK82QT.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.j7movK82QT.exe.da0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: j7movK82QT.exe, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: j7movK82QT.exe, Class4.cs	Cryptographic APIs: 'CreateDecryptor'
Source: j7movK82QT.exe, Class4.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\j7movK82QT.exe

File created: C:\Users\user\AppData\Local\Microsoft\Wind?ws

Jump to behavior

Source: C:\Users\user\Desktop\j7movK82QT.exe

Mutant created: NULL

Source: j7movK82QT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: j7movK82QT.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\j7movK82QT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\j7movK82QT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\j7movK82QT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\j7movK82QT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\j7movK82QT.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: j7movK82QT.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\j7movK82QT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: j7movK82QT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: j7movK82QT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: j7movK82QT.exe, Class4.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: j7movK82QT.exe

Static PE information: 0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]

Source: C:\Users\user\Desktop\j7movK82QT.exe	Code function: 0_2_00007FFE7CEF00BD pushad ; iretd	0_2_00007FFE7CEF00C1
Source: C:\Users\user\Desktop\j7movK82QT.exe	Code function: 0_2_00007FFE7CEF5CB0 push edi; iretd	0_2_00007FFE7CEF5CB6
Source: C:\Users\user\Desktop\j7movK82QT.exe	Code function: 0_2_00007FFE7CEF63EE push ss; retf	0_2_00007FFE7CEF63EF
Source: C:\Users\user\Desktop\j7movK82QT.exe	Code function: 0_2_00007FFE7CFC2004 pushad ; retf	0_2_00007FFE7CFC2005
Source: C:\Users\user\Desktop\j7movK82QT.exe	Code function: 0_2_00007FFE7D111208 pushad ; retf	0_2_00007FFE7D111209

Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\j7movK82QT.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\j7movK82QT.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: \QEMU-GA.EXE

Source: C:\Users\user\Desktop\j7movK82QT.exe	Memory allocated: 1480000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Memory allocated: 1B0C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\j7movK82QT.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\j7movK82QT.exe	Window / User API: threadDelayed 1383			Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Window / User API: threadDelayed 4794			Jump to behavior

Source: C:\Users\user\Desktop\j7movK82QT.exe TID: 2660	Thread sleep time: -19369081277395017s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe TID: 3392	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\j7movK82QT.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\j7movK82QT.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696503903o
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696503903}
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696503903x
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696503903h
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696503903x
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696503903]
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696503903
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696503903\|UE
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696503903
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696503903
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696503903u
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696503903
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696503903t
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903}
Source: j7movK82QT.exe, 00000000.00000002.1534474031.000000001C11B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696503903x
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
Source: j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696503903t
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696503903s
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696503903
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696503903d
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696503903j
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696503903f
Source: j7movK82QT.exe, 00000000.00000002.1529564763.00000000131EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696503903

Source: C:\Users\user\Desktop\j7movK82QT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\j7movK82QT.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\j7movK82QT.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\j7movK82QT.exe	Queries volume information: C:\Users\user\Desktop\j7movK82QT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\j7movK82QT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: j7movK82QT.exe, 00000000.00000002.1536049619.000000001C6CD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\j7movK82QT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\j7movK82QT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\j7movK82QT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\j7movK82QT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\j7movK82QT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\j7movK82QT.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: j7movK82QT.exe PID: 2148, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: j7movK82QT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.j7movK82QT.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1438726216.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: j7movK82QT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.j7movK82QT.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1438726216.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j7movK82QT.exe PID: 2148, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: j7movK82QT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.j7movK82QT.exe.da0000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: hieplnfojfccegoloniefimmbfjdgcgp\|Electrum
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCashE#
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne\|JaxxxLiberty
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: idkppnahnmmggbmfkjhiakkbkdpnmnon\|Exodus
Source: j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: j7movK82QT.exe, 00000000.00000000.1438726216.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\j7movK82QT.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior

Source: Yara match	File source: 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1524678221.000000000316D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j7movK82QT.exe PID: 2148, type: MEMORYSTR

Remote Access Functionality

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: j7movK82QT.exe PID: 2148, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: j7movK82QT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.j7movK82QT.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1438726216.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: j7movK82QT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.j7movK82QT.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1438726216.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j7movK82QT.exe PID: 2148, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: j7movK82QT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.j7movK82QT.exe.da0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
j7movK82QT.exe	66%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
j7movK82QT.exe	100%	Avira	HEUR/AGEN.1312138
j7movK82QT.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
4.251.123.83:6677	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
4.251.123.83:6677	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp, j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com/api/v9/users/	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field1Response	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp, j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	j7movK82QT.exe, 00000000.00000002.1524678221.000000000316D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ip.sb/ip	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/sc	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.w3.oh	j7movK82QT.exe, 00000000.00000002.1524678221.000000000339A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field1	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/envelope/	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field2	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field3	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/06/addressingex	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.w3.o	j7movK82QT.exe, 00000000.00000002.1524678221.000000000339A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field3Response	j7movK82QT.exe, 00000000.00000002.1524678221.000000000316D000.00000004.00000800.00020000.00000000.sdmp, j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	j7movK82QT.exe, 00000000.00000002.1529564763.000000001338C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	j7movK82QT.exe, 00000000.00000002.1524678221.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2002/12/policy	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit	j7movK82QT.exe, 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
4.251.123.83	unknown	United States		3356	LEVEL3US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554432
Start date and time:	2024-11-12 14:50:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	j7movK82QT.exe renamed because original name is a hash value
Original Sample Name:	ae4f6a70db219c382719464a54540963ed92aa942dcd9b09c3f255a22e0074ef.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target j7movK82QT.exe, PID 2148 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: j7movK82QT.exe

Simulations

Behavior and APIs

Time	Type	Description
08:51:25	API Interceptor	31x Sleep call for process: j7movK82QT.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
4.251.123.83	file.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEVEL3US	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	65.90.191.211
	sora.arm.elf	Get hash	malicious	Mirai	Browse	4.98.147.155
	DEMASI-24-12B DOC. SCAN.exe	Get hash	malicious	GuLoader, Remcos	Browse	4.150.155.223
	amen.arm6.elf	Get hash	malicious	Mirai	Browse	7.167.215.90
	amen.x86.elf	Get hash	malicious	Mirai	Browse	11.22.83.104
	amen.arm.elf	Get hash	malicious	Unknown	Browse	6.17.53.0
	zgp.elf	Get hash	malicious	Mirai	Browse	9.168.203.84
	amen.m68k.elf	Get hash	malicious	Unknown	Browse	7.229.51.211
	amen.sh4.elf	Get hash	malicious	Mirai	Browse	8.91.25.183
	amen.spc.elf	Get hash	malicious	Mirai	Browse	65.59.28.22

Process:	C:\Users\user\Desktop\j7movK82QT.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2611
Entropy (8bit):	5.363358188931451
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkafHKWA1eXrHKlT48BHK7HKmTHlHNW:iq+wmj0qCYqGSI6oPtzHeqKkGqhA7qZR
MD5:	CEA017D10C4D437981D19F21660A47FA
SHA1:	61AAFCECB5325DE172857CEF7C7E1F230F73AFFD
SHA-256:	60B099420455DECD1878FE84F217CFE478BA0BA5E6E574077150D08355A1DD96
SHA-512:	413384BF9D2EDC9BC2DF6D5175D09A33B91CCF9C53FE3CB21892CB57AF4FD8A9BE0608E9BCA57AF4A7F2709A4C110148719DA3210460DF433CFD77FA753B9CF8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.1802238135466485
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	j7movK82QT.exe
File size:	743'424 bytes
MD5:	4dfea649105e2f2d2fa1ba873f38fbb4
SHA1:	c1421ba2baa3774fea5de3c10f943f3345225364
SHA256:	ae4f6a70db219c382719464a54540963ed92aa942dcd9b09c3f255a22e0074ef
SHA512:	d0ad259d21fe6a1588cce029529a14d35640bf411186383f8e2a07106d7fc63abb0594d8169b3b152a46ea53a4c70ac12a5ada7106c3ed389952cc5e40522052
SSDEEP:	12288:yDlYDzqxxXBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4QiAzojgJu:yDlY3qxx1NNXo
TLSH:	A1F4701C5BBC058CEC8CD531BE20C9326EA04E08919FCB49A569FA151EB6277B3F5BD1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	0e9696961617e982

Static PE Info

General

Entrypoint:	0x44d0ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4d0a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x6a022	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4b0f4	0x4b200	5d63634ddb8764feaaa7142fe315e4aa	False	0.418010997296173	data	6.528769809109299	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4e000	0x6a022	0x6a200	65e4195d76e2641b30f5c060426a53b1	False	0.04090059997055359	data	3.4733020781588206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	3a13fecd19ca9773d82cc3855bc1b8eb	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4e2b0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	0.019047548598988075
RT_ICON	0x902d8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.03903939429788241
RT_ICON	0xa0b00	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.0580460374185411
RT_ICON	0xa9fa8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.08243992606284659
RT_ICON	0xaf430	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.0987836561171469
RT_ICON	0xb3658	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.14284232365145227
RT_ICON	0xb5c00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.22537523452157598
RT_ICON	0xb6ca8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.30901639344262294
RT_ICON	0xb7630	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.4530141843971631
RT_GROUP_ICON	0xb7a98	0x84	data	0.7196969696969697
RT_VERSION	0xb7b1c	0x31c	data	0.4535175879396985
RT_MANIFEST	0xb7e38	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T14:51:24.656472+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.11	49705	4.251.123.83	6677	TCP
2024-11-12T14:51:25.227623+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	4.251.123.83	6677	192.168.2.11	49705	TCP
2024-11-12T14:51:36.620226+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.11	49706	TCP
2024-11-12T14:52:16.634060+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.11	64973	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 14:51:23.731570005 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:23.736499071 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:23.736637115 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:23.738617897 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:23.743391037 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:24.557214022 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:24.601022005 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:24.656471968 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:24.662259102 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:24.894155025 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:24.927970886 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:24.935195923 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.227531910 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.227550030 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.227564096 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.227617025 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:25.227622986 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.227638006 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.227648020 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.227667093 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.227667093 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:25.227679968 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.227696896 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.227706909 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:25.227724075 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.227747917 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:25.227758884 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:25.228296995 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.228406906 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.228461981 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:25.344302893 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.344341993 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.344356060 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.344412088 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.344424963 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.344433069 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:25.344469070 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:25.344666958 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:25.344722033 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:28.483519077 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:28.788408041 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:29.397912979 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.227045059 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.227144957 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.228687048 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.228780985 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.229202032 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.229682922 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.229741096 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.229840040 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.229895115 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.230206013 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.230262041 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.230451107 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.230499983 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.230797052 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.230854034 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.230994940 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.231045008 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.231499910 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.231559992 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.231648922 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.232721090 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.233201027 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.233223915 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.233258963 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.233278036 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.233588934 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.233639002 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.233715057 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.233789921 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.234510899 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.234524012 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.234572887 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.234736919 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.234749079 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.234800100 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.235059023 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.235111952 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.235184908 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.235234976 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.235277891 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.235287905 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.235346079 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.235680103 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.235691071 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.235740900 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.236960888 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.237010002 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.237015963 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.237076044 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.240194082 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.240259886 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.240516901 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.240581036 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.241883993 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.241961956 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.241997957 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.242008924 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.242043972 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.242068052 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.242090940 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.244113922 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.244163990 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.244179964 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.244204044 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.244224072 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.244256973 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.244311094 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.244323015 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.244334936 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.244375944 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.244394064 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.244405031 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.244473934 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.244483948 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.244539976 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.244553089 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.244602919 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.246839046 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.246849060 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.246912956 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.249546051 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249557018 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249573946 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249588013 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249620914 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.249631882 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249639988 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.249664068 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249695063 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.249707937 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249717951 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249727011 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.249744892 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249762058 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249774933 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.249800920 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.249834061 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.249841928 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249852896 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.249896049 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.249994993 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250006914 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250046968 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250056028 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.250076056 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250118017 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.250148058 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250149965 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.250159979 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250200987 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.250245094 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250255108 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250323057 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250332117 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250370979 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250412941 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250446081 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250462055 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250575066 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250583887 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250658035 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250667095 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250783920 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250793934 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250802994 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250813007 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250823975 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250917912 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250932932 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250941992 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250958920 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.250967979 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251055002 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251065016 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251075029 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251188040 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251197100 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251208067 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251219034 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251235962 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251283884 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.251308918 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251333952 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251357079 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.251364946 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251485109 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251494884 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251522064 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251532078 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251629114 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251638889 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.251671076 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.254900932 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.254911900 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.254990101 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255001068 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255040884 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255110025 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255135059 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255157948 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255263090 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255300999 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255409002 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255470037 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255481005 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255523920 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255623102 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255641937 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255652905 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255664110 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255676031 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255701065 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255764008 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255799055 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255886078 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255897045 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255981922 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.255992889 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256055117 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256066084 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256150007 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256160975 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256174088 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256192923 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256218910 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256438971 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256520033 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256643057 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256655931 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256839991 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256851912 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256970882 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.256980896 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257076025 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.257148981 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.257148981 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257162094 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257194996 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257205963 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257288933 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257301092 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257312059 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257391930 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257404089 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257416964 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257461071 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257472038 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257544994 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257555962 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257569075 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257586956 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257668972 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257678986 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257729053 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257738113 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257805109 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257813931 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257842064 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257870913 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257987976 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.257997036 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258033037 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258043051 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258079052 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258090019 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258101940 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258160114 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258205891 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258214951 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258253098 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258261919 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258291006 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258378983 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258388042 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258397102 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258414030 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258423090 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258457899 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258467913 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258512974 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258522034 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258615971 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258625984 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258651018 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.258660078 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.261991024 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262061119 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262073040 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262083054 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262145996 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262156010 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262233019 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262243986 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262255907 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262260914 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.262274981 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262326956 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.262329102 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262358904 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262408972 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262419939 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262459040 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262499094 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262551069 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262561083 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262615919 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262626886 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262698889 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262708902 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262759924 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262769938 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262818098 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262896061 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262906075 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262917995 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262969017 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.262979984 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263070107 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263081074 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263149023 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263159990 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263173103 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263215065 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263248920 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263266087 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263319969 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263330936 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263355017 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263408899 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263444901 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263505936 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263520002 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263602018 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263649940 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263660908 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263701916 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263712883 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263770103 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263803959 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.263848066 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267127991 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267139912 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267185926 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267194986 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267242908 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267252922 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267270088 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267282963 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267326117 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.267345905 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267359018 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267371893 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267383099 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267385960 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.267402887 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267414093 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267440081 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267448902 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267504930 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267514944 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267539024 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267548084 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267587900 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267596960 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267708063 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267718077 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267781973 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267843962 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267903090 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267911911 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267937899 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267947912 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267982006 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.267992973 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268004894 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268023014 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268058062 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268069029 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268178940 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268189907 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268199921 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268210888 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268229961 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268239021 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268256903 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268265963 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268284082 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268292904 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268332958 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268342018 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268387079 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268393993 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268421888 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268433094 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.268444061 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272201061 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272212982 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272250891 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272262096 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272280931 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272291899 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272337914 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272349119 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272387028 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272397995 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272414923 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.272424936 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272435904 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272473097 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272481918 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.272492886 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272536993 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272547960 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272579908 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272589922 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272638083 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272649050 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272666931 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272676945 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272773981 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272783995 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272809982 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272826910 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272855043 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272880077 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272958040 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.272968054 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273003101 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273013115 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273022890 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273067951 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273107052 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273116112 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273165941 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273175955 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273210049 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273224115 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273236990 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273330927 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273339987 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273349047 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273367882 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273376942 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273395061 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273403883 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273437977 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273447990 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273482084 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273493052 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.273504972 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277225971 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277240038 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277340889 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277353048 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277371883 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277383089 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277395964 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277426958 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.277476072 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277487040 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277489901 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.277506113 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277517080 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277545929 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277575970 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277620077 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277681112 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277695894 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277709007 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277731895 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277744055 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277770996 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277782917 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277793884 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277803898 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277825117 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277836084 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277854919 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277864933 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277889013 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277900934 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.277931929 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.321997881 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.323837042 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.323920965 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.323920965 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.323966980 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.346340895 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.351756096 CET	49705	6677	192.168.2.11	4.251.123.83
Nov 12, 2024 14:51:30.356606960 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:30.376740932 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:31.148921967 CET	6677	49705	4.251.123.83	192.168.2.11
Nov 12, 2024 14:51:31.168576002 CET	49705	6677	192.168.2.11	4.251.123.83

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 14:51:38.436125994 CET	53	58916	1.1.1.1	192.168.2.11

Target ID:	0
Start time:	08:51:21
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\j7movK82QT.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\j7movK82QT.exe"
Imagebase:	0xda0000
File size:	743'424 bytes
MD5 hash:	4DFEA649105E2F2D2FA1BA873F38FBB4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1524678221.0000000003154000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1438726216.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1438726216.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1524678221.000000000316D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FFE7CFC22FA Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537697212.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cfc0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc31ffa6e774a7c2b53ae8891eba39d79617a1af42fac85e1c341086d222874
Instruction ID: 3baa5bbde40da1265528aba09d8b41febb0e292e3f70722a8172b521e0679e4f
Opcode Fuzzy Hash: 2dc31ffa6e774a7c2b53ae8891eba39d79617a1af42fac85e1c341086d222874
Instruction Fuzzy Hash: CD71E221B1CA894FE769D62C98556793BD1EF9A320F1401BBD45EC72F3CD19AC428381

Function 00007FFE7CFC1BC8 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537697212.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cfc0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f6875df4c38316382fa8fd6b39c7afe388805219370cbb119f1cd957d619af
Instruction ID: 88971a5a7a345becda947b86e5db5b2a74df03149aea4f615b07deba13a8f6b9
Opcode Fuzzy Hash: 03f6875df4c38316382fa8fd6b39c7afe388805219370cbb119f1cd957d619af
Instruction Fuzzy Hash: 7E710221B1CD894FEB68D22C98156B93BD1EF9A320F1441BBE45EC72F3DD19AC428781

Function 00007FFE7D117620 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbe7e8b35bd2ebb0eb45f028f495772ca07f3877739dae512123c9e3a87eb95
Instruction ID: aeecf106fac09b1cd859fe90a2cd0d50ce0e6a6dfaeaaff612243cb8006c58a1
Opcode Fuzzy Hash: 7dbe7e8b35bd2ebb0eb45f028f495772ca07f3877739dae512123c9e3a87eb95
Instruction Fuzzy Hash: 8791677091892D9FDBA4EB18C898BA9B7F1FB58301F5441EAD00DE36A1DB756E81CF40

Function 00007FFE7CEF0F4F Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b3534fd8c24019eeed7d2c848cb103a23be6f6bb352aab7911e4a244b49f2a
Instruction ID: 1558dbe33d9f3fafa5770e9b23a831d3c77d4c99b96803646af6924b79e384d1
Opcode Fuzzy Hash: 54b3534fd8c24019eeed7d2c848cb103a23be6f6bb352aab7911e4a244b49f2a
Instruction Fuzzy Hash: C5716F74A1491C8FCB94EB18C898BA8B7F2FF59301F5441E9914DE7265DB30AE81CF44

Function 00007FFE7D113EDC Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1127a042e0dd0c303f3131ea8c8348c925c95d2e2e250b92316125f7945467e0
Instruction ID: 5a3c190f21ad6c631bdee6d7322e2a75c2abb78eb7306bdac93dcc1c1c3792a0
Opcode Fuzzy Hash: 1127a042e0dd0c303f3131ea8c8348c925c95d2e2e250b92316125f7945467e0
Instruction Fuzzy Hash: F861A37091851E8FDFA8EB18C895AE8B7B1FF58304F5401AAD01DE7261DB75AD81CF40

Function 00007FFE7CFC031D Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537697212.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cfc0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2340bc600da4022f95df0043bebfc5c2cb364ac5747b533de88ad76008d575b0
Instruction ID: 944c5029ff3177e49f992ee3acb60e7a1b12b319e276ee8c434de0bf9f5f67c0
Opcode Fuzzy Hash: 2340bc600da4022f95df0043bebfc5c2cb364ac5747b533de88ad76008d575b0
Instruction Fuzzy Hash: 8D31F33161DA854FD769972C88996753FE0EFA7320B1902FBD469C71F3D928AC068781

Function 00007FFE7CEF0DF5 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343f4d1fcb68a8cd2637eb5658ae421ac885df7abd829db9012649ed3716cf5a
Instruction ID: 8a86e006289e4199508dfb22896e017095d21389ff1adfe3d59cd852fdc975cf
Opcode Fuzzy Hash: 343f4d1fcb68a8cd2637eb5658ae421ac885df7abd829db9012649ed3716cf5a
Instruction Fuzzy Hash: 4C51F675A1961D8FDB98DF18C894AADB7B1FF58300F1441AAD00DE72A1DB34AD85CB40

Function 00007FFE7CEF15CF Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ab5f8da19c26ec36e1cc6bb819ab5910e1dc0ae6941ecbc989ba15f5e67abb
Instruction ID: 2b15d9519f7547a61ce60a4fafd22b7d0c4b84e50209b138dc8ef8e218361aa0
Opcode Fuzzy Hash: 43ab5f8da19c26ec36e1cc6bb819ab5910e1dc0ae6941ecbc989ba15f5e67abb
Instruction Fuzzy Hash: 15519F75A1961D8FDB98DF58C894AACB7B6FF58300F5041A9D01EEB2A1CB35AD81CF00

Function 00007FFE7D112465 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70a5b3b05aee1c3f740ac56d96cf1b02642d900722e48baa2b54a58308971df
Instruction ID: 1f30ea81d7c43d40d5772dbbdd90a1cae3dd1deb4184a8fcd418ef8005499458
Opcode Fuzzy Hash: a70a5b3b05aee1c3f740ac56d96cf1b02642d900722e48baa2b54a58308971df
Instruction Fuzzy Hash: 4A418E31918A5E8FDB54DF58C855AED7BB0FF19304F0402BBE459C32A1EB35A941CB81

Function 00007FFE7D113BE1 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b66b74a1a6e51d7f567e17d91fe71671f844d324f2359703220f56b2e1f019
Instruction ID: a37188e65d0bf7398f3b3c1351b7796c5b5031c6c91acedfacf1bda77331b1d6
Opcode Fuzzy Hash: 74b66b74a1a6e51d7f567e17d91fe71671f844d324f2359703220f56b2e1f019
Instruction Fuzzy Hash: 3C411B71919A5D8FEBE4EB2888557E977A1FF48310F1402FAD40CD32A5DF79AD808B40

Function 00007FFE7D11157B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1e1ac896ac07039ff01b1c516466aa2d3ed502b9832332d332d95c0a84be13
Instruction ID: 776a1f8274380a427a31f39c6c96418320f02b8b328285800f820328817b8163
Opcode Fuzzy Hash: 4a1e1ac896ac07039ff01b1c516466aa2d3ed502b9832332d332d95c0a84be13
Instruction Fuzzy Hash: C331A470D18A1D8FDBA4EB6884556FCB7B6EF59301F9041BAD01DE72A1DE35AD81CB00

Function 00007FFE7D111802 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589f6a840310cd7619bd9a9d416f542eb573cf5c32765a1f544a2c0f9d2e1941
Instruction ID: 85f71247308fafad1772bad06817404f71670de250b36c1ad9fd024938231cb0
Opcode Fuzzy Hash: 589f6a840310cd7619bd9a9d416f542eb573cf5c32765a1f544a2c0f9d2e1941
Instruction Fuzzy Hash: F941A730D2992D8FDBA8EB1884557F8B2B5EF59301F5041FAD01DE32A2DA356EC08B50

Function 00007FFE7D115FB9 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35100816c491c3fcb668477b3360347ffa95639b66204325f44537afd85c70b5
Instruction ID: 3110624a708f9907b5f64229314561fc728c27875cce3d499522f2b7a88dd1df
Opcode Fuzzy Hash: 35100816c491c3fcb668477b3360347ffa95639b66204325f44537afd85c70b5
Instruction Fuzzy Hash: F531E971D1891D8FDB94EB98C4856EDB7F1FF58311F6042AAD00DE7255DB35A881CB40

Function 00007FFE7D11207D Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119e6baae89dc9b12e21637511c8572f79fcb8cc4fa145de72ef0eaa7eb76052
Instruction ID: 6d1fd14f21e6303f8902f2655230e73b2f8f0729e4851f77e2b2e772e61ef659
Opcode Fuzzy Hash: 119e6baae89dc9b12e21637511c8572f79fcb8cc4fa145de72ef0eaa7eb76052
Instruction Fuzzy Hash: 7B31DA71D2991D8FDBA4EB18C885BADB3B5FF59300F5042B6D01DD32A1DB39A9818B40

Function 00007FFE7D111F4B Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e09b8a59649828dd5cc605365cbee04a5ecc099ae04390610b4389afd9a2f4b
Instruction ID: 85bbdeb7e8922065a767acc597f14556fda3fa97e4e3df0b6f93f1f4bacc8a3e
Opcode Fuzzy Hash: 3e09b8a59649828dd5cc605365cbee04a5ecc099ae04390610b4389afd9a2f4b
Instruction Fuzzy Hash: 39312D71D2891E8FDBA4EB5894556FCB7F1FF59300F50017AD01DE32A2DB3968418B40

Function 00007FFE7D113D4D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd740c1a00fe239e702e8db58f5bfd2e119fc573822ac18be057a519592e209
Instruction ID: 61fd27c35a164b91c6f9636724e3e7cc785a376475e3405070aaad1d16d52e14
Opcode Fuzzy Hash: 4dd740c1a00fe239e702e8db58f5bfd2e119fc573822ac18be057a519592e209
Instruction Fuzzy Hash: F831F63191891A8FDFA4DF48C884BEDB7B1FF98301F5086AAD00EA6294DB356985CF40

Function 00007FFE7D112060 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a8c22ceb8d2cafc2e5d8c0ce400f055746d7a05e248a4e6703fbd21e65ef9f
Instruction ID: ea68184d7831d1d93c3d08851d5718232616f13ef7ee3d8cc575dd8877fc1e82
Opcode Fuzzy Hash: 11a8c22ceb8d2cafc2e5d8c0ce400f055746d7a05e248a4e6703fbd21e65ef9f
Instruction Fuzzy Hash: AC21EC71D2951ACEDBA4EB58C446BBDB3B5FF59300F5041BAD01DD31A2DF3969818B40

Function 00007FFE7D112428 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76361f21b475c875d193b39794a7fc579d0027963a1a50bac995af05eb9103e2
Instruction ID: 7bc459e27dbc01840eee96e3badeb2bb743300e0f36d2a1df9efed7f69e3d0b1
Opcode Fuzzy Hash: 76361f21b475c875d193b39794a7fc579d0027963a1a50bac995af05eb9103e2
Instruction Fuzzy Hash: C421AE30908A1E9FDB54EF68C458AEC77F2FF58310F14467AD419E72A5EB36A842CB40

Function 00007FFE7D112A7C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0deb2d645b99e9f8071745749bd6aaba1411eff3a4a01473d02f8664502f3d4e
Instruction ID: 98d08bbb404f4182093413384e0aff3c7b87146d63c9fa4ed28328199250570c
Opcode Fuzzy Hash: 0deb2d645b99e9f8071745749bd6aaba1411eff3a4a01473d02f8664502f3d4e
Instruction Fuzzy Hash: E2219834A1492D8FDFA4EB58C895BA8B7B1FB68305F1041EAC00DE7665DB35AD81CF40

Function 00007FFE7D111F33 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2915e278413050d5b85ada1feceaf253c32cfcda43a371575148fbc24fc9aa98
Instruction ID: 4adc9511d5a3497df055b612b768e564fa3f7d616480f8c86a6355d0d6034a55
Opcode Fuzzy Hash: 2915e278413050d5b85ada1feceaf253c32cfcda43a371575148fbc24fc9aa98
Instruction Fuzzy Hash: E121BC71D2890ECEDBA8DB589055AFCB7B5FF59301F90117AD01DE72A2DB3968818B40

Function 00007FFE7D116D6A Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0caec30e44cf1fb95d936d6c59f3b632ce30d8c7dc14b1d0f460573f654ec7e4
Instruction ID: abca1fb962e8bc4a2ceb933574236ab75ae49637d9246202d35f121fabe7fe4a
Opcode Fuzzy Hash: 0caec30e44cf1fb95d936d6c59f3b632ce30d8c7dc14b1d0f460573f654ec7e4
Instruction Fuzzy Hash: B5211A71A1895D9FDF94EFACD954AEDBBF1FF58310F04016AE019E3261DB34A8418B40

Function 00007FFE7D110A4E Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692e9cddf72e69a2d8351d3b6bb24b8738c37be48749f16ff69f1114326c0c97
Instruction ID: 4bfce261047db2e450f147b9a696a35c77948ae5183feb080cd647b164795d66
Opcode Fuzzy Hash: 692e9cddf72e69a2d8351d3b6bb24b8738c37be48749f16ff69f1114326c0c97
Instruction Fuzzy Hash: 5D21E6349189598FDFA4EB58C895BADB3B1FB58300F5045EAD00EE72A1CB75A981CF00

Function 00007FFE7D116CFA Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7de3e8649393a4395b384bb53e7246b493e10428a7f814a1722127ba34d478
Instruction ID: a333cf6adad15ab748cd18ce63244734b765a6b86bdc6497a5f3cdaffc3672a5
Opcode Fuzzy Hash: 1f7de3e8649393a4395b384bb53e7246b493e10428a7f814a1722127ba34d478
Instruction Fuzzy Hash: A1114C30918A8D9FDF45EF68C849AE97FF0FF28344F1802AAE859D3161DB31A550CB81

Function 00007FFE7D113B55 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 330fc859186002f8edc3b7123f8b08cbf14315bf2796a783dfc5906978e08486
Instruction ID: 0ceebc94b031ad3c82ccc38cdb94daf7b1bfbe88b640bf815f615c5fcc0a2301
Opcode Fuzzy Hash: 330fc859186002f8edc3b7123f8b08cbf14315bf2796a783dfc5906978e08486
Instruction Fuzzy Hash: 03111970818A4D8FCF85DF58C899AAD7BF0FF68305F05026AE859D3251DB31A990CB81

Function 00007FFE7D116140 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2c95f1c435f7afa93feedf43db6ec69fedd18835a2c533e5298c981ae540da
Instruction ID: 0be0f6a7a0415e69271fdabcc250792792f3650e374189273b29b29f64ec1124
Opcode Fuzzy Hash: 1d2c95f1c435f7afa93feedf43db6ec69fedd18835a2c533e5298c981ae540da
Instruction Fuzzy Hash: EA215470A15A1C8FDBA4EB18C895BA9B7F2FF59301F5441E9D00DE3265DB35A981CF01

Function 00007FFE7CEF3299 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8fc93894386823dbf814a56a8a6990dbafa0f7b607b22b15075e2c9ae4f70e
Instruction ID: 028fcfb390caaf37fb9370705dbc63644a6e3259c74ff3bb35a0e3dc6e4c3723
Opcode Fuzzy Hash: 1e8fc93894386823dbf814a56a8a6990dbafa0f7b607b22b15075e2c9ae4f70e
Instruction Fuzzy Hash: 00113D71C2DA5C8FEB99DB2888557E87BB1FB59310F4404EAC00DE32A2DF795985CB00

Function 00007FFE7D112AF2 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e35147e30a0f851222102ee0aeb4833195f0573428820acef9fe210c15fbf9a
Instruction ID: 8f6d1af3824bf9931725b92189c006ba42d847e30e7c36161f31c6a32f21fc25
Opcode Fuzzy Hash: 5e35147e30a0f851222102ee0aeb4833195f0573428820acef9fe210c15fbf9a
Instruction Fuzzy Hash: 2811A734A1491C8FDFA5EB58C895BE9B3B1FBA8305F1441E6D00DE3265CA35AE81CF40

Function 00007FFE7D113B70 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5565b3a5fece99c31e6d34be0ebcd4c02ec53a1c241b7f0def15817f68441acf
Instruction ID: bab67f468144aef866a8e0cb90e451f154b6687880c1015f735da3ab56e7b75c
Opcode Fuzzy Hash: 5565b3a5fece99c31e6d34be0ebcd4c02ec53a1c241b7f0def15817f68441acf
Instruction Fuzzy Hash: F9118770914A4D8FDF84EF58C849AEE7BF0FB68345F10066AA859D3250DB31A991CB81

Function 00007FFE7D112F95 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800becb4e31770d7f37bc5212eb028a6c644ec7411a759c4365636728fce979b
Instruction ID: 62ff5be4fff2a00f1cd735052383d93fbf68c29decfbe00de2636e1620714ad4
Opcode Fuzzy Hash: 800becb4e31770d7f37bc5212eb028a6c644ec7411a759c4365636728fce979b
Instruction Fuzzy Hash: 30013C70818A4D8FDF44DF18C859ADD7BE0FF28304F0502AAE819D7261D735E990CB81

Function 00007FFE7CEF1F71 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f8f60bc31fb9ad34dc6b0257981130f71b80b1ac5e7fa272fc6d5db0d842a2
Instruction ID: 674594e535061d2d0e1c08e1259465c328cd51123197bb788c6b1df75319ded7
Opcode Fuzzy Hash: b8f8f60bc31fb9ad34dc6b0257981130f71b80b1ac5e7fa272fc6d5db0d842a2
Instruction Fuzzy Hash: 26119530A1861C8FDBA9DB18C845AA873B6FF59301F1001E9D00DE7261CB71AA81CF40

Function 00007FFE7D111E6D Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4306418aa2f978a421168007c1b51d06a955a5a15f02406a90f686867268720c
Instruction ID: 9cad384de1c56dc9795610595fc0481e94e196fd01bf60d1ad31940231b7dc36
Opcode Fuzzy Hash: 4306418aa2f978a421168007c1b51d06a955a5a15f02406a90f686867268720c
Instruction Fuzzy Hash: 4E016D3180968D8FDF96DF68C8546EDBBB0FF25300F0501ABD418C71A1DB359594CB41

Function 00007FFE7D116885 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cdfdddcc43e79789b1726a41cf08e8546a3fc9ea5c5ec015bb124df39b7cbd
Instruction ID: c2c93e25fc6c3f4b4119123a9e3039f57e348ec024f30e14d018aa99169647aa
Opcode Fuzzy Hash: c0cdfdddcc43e79789b1726a41cf08e8546a3fc9ea5c5ec015bb124df39b7cbd
Instruction Fuzzy Hash: 4D012D71918A4D8FDF84EF58C859AAE7BF0FF68300F0441AAD418D7161E7319554CB40

Function 00007FFE7D116995 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e656aa4e1e9adffa31ab6a8b019fec0e25493ef8c4b79205b3165b150382f1a6
Instruction ID: e15c8c8dd56aceec0d85fb0cae03e9137ace657e0bcea4df562618d99ee1235e
Opcode Fuzzy Hash: e656aa4e1e9adffa31ab6a8b019fec0e25493ef8c4b79205b3165b150382f1a6
Instruction Fuzzy Hash: 6C012935908A8D8FCF44DF18C895AAD7BF0FF68300F0502AAD419D7161D735A954CB81

Function 00007FFE7D1160A8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0dcb5ee35c68be864f355025436128860241da83cb1dc26996e90da5f491e3
Instruction ID: a347ad2ced413eef14410ee7b5e3b893b862b4325f366b2415a0af9e4df600aa
Opcode Fuzzy Hash: 3e0dcb5ee35c68be864f355025436128860241da83cb1dc26996e90da5f491e3
Instruction Fuzzy Hash: FE11B37091491D8FDBA4EB68C884BACB7B2FF98301F5042AAC01DE7256DF35A981CB40

Function 00007FFE7CEF0850 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbabcc952779a9eafb415598f2221a263c415a63a89e280fe2b8bd50f2fce09c
Instruction ID: 86a783913afb44d040dde22d96db8f24b33187544eb058ca7b3e649bfaab1f5d
Opcode Fuzzy Hash: dbabcc952779a9eafb415598f2221a263c415a63a89e280fe2b8bd50f2fce09c
Instruction Fuzzy Hash: 6301A7179BD5CE86E79262AD6C510F93794DF46239F0C02B3D0ACA50E3DE1D640A8191

Function 00007FFE7CEF3775 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4841de79443a063517a0d06934e9ce32bdf2c649684d208419c0aebf3ab1c944
Instruction ID: dfb4588390998f300f9c3a9485751834067ee2bbd7a82e22734f291a1ec9ddb5
Opcode Fuzzy Hash: 4841de79443a063517a0d06934e9ce32bdf2c649684d208419c0aebf3ab1c944
Instruction Fuzzy Hash: 0A015A71818A4D8FDF84EF58C858AEE7BF0FF68300F0405AAD419D72A1DB319694CB80

Function 00007FFE7D116961 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52a977e83c86056b3481449239249f5f1c292b72d903613e789761f9df97614
Instruction ID: 82112fcecdfaacab01f925964a5546b3850f1876e3d5355417c5362f94cc05a8
Opcode Fuzzy Hash: e52a977e83c86056b3481449239249f5f1c292b72d903613e789761f9df97614
Instruction Fuzzy Hash: 4B014F3555898D8FCF84DF58D4909ED77A1FF64300F14456AE41DC31A5DA32E951CB81

Function 00007FFE7D116FC5 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a3943eb6f9bd6f18794092d776737eb97def7774cce80412781d90090ae07d
Instruction ID: 09ef2c95ac6e9b2cc6f4bbf5c4a04b2616d8019b8b1b0a29c838cd29f16ac83f
Opcode Fuzzy Hash: b0a3943eb6f9bd6f18794092d776737eb97def7774cce80412781d90090ae07d
Instruction Fuzzy Hash: 92015E71918A8E8FDF85EF68C858AAD7BB0FF25300F0405ABD429C71A1EB31A954CB40

Function 00007FFE7D1146B5 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4567fc1c6a1a8d703f907067dabce059dd2e19fc0879d9b177c284793b8479
Instruction ID: 68a13667d3d357929d710a7dce22993a5a616bf4a9d8602701f2df12df4fa248
Opcode Fuzzy Hash: 2d4567fc1c6a1a8d703f907067dabce059dd2e19fc0879d9b177c284793b8479
Instruction Fuzzy Hash: 92011A31818A4D8FDF85EF68C859AAE7BB0FF64300F0405AAD419D71A1EB359994CB41

Function 00007FFE7D117525 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5837edbeedee094d90541ab231459104747c5233adff86bd0fc63de6d94e9b4
Instruction ID: 7b3131f75b53a7b80fcb300140b54cdb65c10a8df6f16e3a3c5be32566d44d3b
Opcode Fuzzy Hash: a5837edbeedee094d90541ab231459104747c5233adff86bd0fc63de6d94e9b4
Instruction Fuzzy Hash: 47011A71918A4E8FDF95EF68C858AED7BB0FF24300F0405AAD459C72A1EB35A995CB40

Function 00007FFE7D115F05 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abeb08d650cad949979b2cd72a8a1aa9fafb320c865bdd04a3a08be6cf05f9dc
Instruction ID: 877704b8f75240657efa23af4c5730b296e94a3c25b1ea741efd2b82de3869db
Opcode Fuzzy Hash: abeb08d650cad949979b2cd72a8a1aa9fafb320c865bdd04a3a08be6cf05f9dc
Instruction Fuzzy Hash: 3B01713191868E8FDF95EF68C898AAD7BF0FF25300F0401AAD419C71A1EB319950CB40

Function 00007FFE7CEF2EE0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf23ceb0855ef4bf928cf5d7ea7078f7fa2b3b76ffb53218ce513a5ce2d47097
Instruction ID: dfb7c4fdc5bfc0254bb2e5b38018bdd20a1c3f91520a7ead3bda1a15090b4163
Opcode Fuzzy Hash: cf23ceb0855ef4bf928cf5d7ea7078f7fa2b3b76ffb53218ce513a5ce2d47097
Instruction Fuzzy Hash: DE01D630954A4D9FDF84EF68C849AFE7BF0FB68305F10056AA819E3260DB71A590CB80

Function 00007FFE7D11B1B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6159fe67212a644349ad1b1588ecd9e88b2998fa5f1ee28082392656012afd1a
Instruction ID: 835eff9d1b996526c81b12a36ef6859642f2058d174d2bd6e13598b9db259e3c
Opcode Fuzzy Hash: 6159fe67212a644349ad1b1588ecd9e88b2998fa5f1ee28082392656012afd1a
Instruction Fuzzy Hash: 44019674914A5DCFDF84EF58C889AEE7BF0FB68305F10066AA819D3260DB31A595CB81

Function 00007FFE7D111395 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551cebb910e7d93b1f409f35b55868d346f2b02071bcf061183c38ed1863cf49
Instruction ID: afcd09deeaefb53f7574f4feef0deed63191cc0b3eaf063458ae61a83021dcaf
Opcode Fuzzy Hash: 551cebb910e7d93b1f409f35b55868d346f2b02071bcf061183c38ed1863cf49
Instruction Fuzzy Hash: F0014F71818A4D8FDF85EF58C858AADBBF0FF24300F0405AAD429D71A1DB759994CB41

Function 00007FFE7CEF21F9 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ea9351e5a6e167c6aebcfa9500c2f6738707e4fbb7e01f118bc3158a0c9c0b
Instruction ID: 56c1fc845a1c28cee8fe39423856d70b91145a7100b84d45cbee4eebd277a299
Opcode Fuzzy Hash: f6ea9351e5a6e167c6aebcfa9500c2f6738707e4fbb7e01f118bc3158a0c9c0b
Instruction Fuzzy Hash: ED017C3595868D8FDB85EF58C8586AD7BF0FF59300F0501EAD428DB2A2DB34A904CB00

Function 00007FFE7CEF2F08 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f7aa2d58b022493238e5e250c3431a18f35bb60031a19f3bfe8dc3c39fd2af
Instruction ID: 2c5b4f0cf37a1be4e55f2828bbe57ef53836fbe6b4919ce3a4a524fe7d7636b0
Opcode Fuzzy Hash: a1f7aa2d58b022493238e5e250c3431a18f35bb60031a19f3bfe8dc3c39fd2af
Instruction Fuzzy Hash: 9201B67091490D8FDF84EF58C848EBEBBF0FB68305F10456AA81DE3260DB31A690CB80

Function 00007FFE7CEF185F Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c0a606f8f89b5afd27ca4045b0569fbff1e7c8c9587d11b2f67266a77932f0
Instruction ID: 8b9480bcfa5f20fde41f17d23ba86178f2f253b1022d0ba5c1d3e4dc023ba150
Opcode Fuzzy Hash: 87c0a606f8f89b5afd27ca4045b0569fbff1e7c8c9587d11b2f67266a77932f0
Instruction Fuzzy Hash: 31019930918A1C8FDFA9DB18C894AADB7B9FB18301F1001EAD00DE7261CB70AE80CF40

Function 00007FFE7D112650 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53c99fb65194ea66d7d170ac802a1e7bab5d1453747be3ef7e488e1c9dc48b7
Instruction ID: c953d8c2c82e675742cb7526afe9ad8d15df360a048ded3b8d28930e77e96a0c
Opcode Fuzzy Hash: f53c99fb65194ea66d7d170ac802a1e7bab5d1453747be3ef7e488e1c9dc48b7
Instruction Fuzzy Hash: C001BB3091490E8FDF84EF58C848AAEB7F0FB68305F10456AE819D3260DB31A594CB80

Function 00007FFE7D1134CF Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b2a93cb475a3ad6a575a2f19671bd7b72a85ed4d4a0781353a9d57d3ee5271
Instruction ID: 3157a30ecd9853c8b4f1f9e9e3b1352578fa8bb99d53d719eb72e2f7a2257f05
Opcode Fuzzy Hash: 43b2a93cb475a3ad6a575a2f19671bd7b72a85ed4d4a0781353a9d57d3ee5271
Instruction Fuzzy Hash: 720183709186188FDBA4EF58C851B99B7B1FB98304F1085AAD04DE3296DB75A9818F11

Function 00007FFE7D112678 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54aac20739bcbe34371bca243b7a313b1b9ce30305ca6b38a97408519c348158
Instruction ID: 2544119e6fffcaac7b2210a6366d6b084f56b5f83a475a789e2a0cc1483b8d18
Opcode Fuzzy Hash: 54aac20739bcbe34371bca243b7a313b1b9ce30305ca6b38a97408519c348158
Instruction Fuzzy Hash: CA01CD3491494D9FDF44EF58C449AED77E0FB68305F10026AE81DD3160DB35A594CB81

Function 00007FFE7CEF2D55 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f8efb2223aa3c3356f31a70e7cfbc148260675c5599a91600c272500987ef0
Instruction ID: dc38b6a5bb9ee2b6a4a4173d053ea3893feb8580794e7133ad8da38f544edac6
Opcode Fuzzy Hash: 20f8efb2223aa3c3356f31a70e7cfbc148260675c5599a91600c272500987ef0
Instruction Fuzzy Hash: 0DF04F35918A8C8FDB95EF58C858AAD7FB0FF69300F4401EAD419C71A1DB359594CB41

Function 00007FFE7D11705B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b183ca5771ec17cde2b58388a5f6babc701461135fb8e79418d49435f7be5de
Instruction ID: d423a9f3df988296c1d568662f7f2c0677026deb2d10092b0949d1da07ba3db7
Opcode Fuzzy Hash: 4b183ca5771ec17cde2b58388a5f6babc701461135fb8e79418d49435f7be5de
Instruction Fuzzy Hash: 5E01693190894ECFDF95EB98C810ABDB7F0EF15300F0801AAD02DC72A2DA36A951CB01

Function 00007FFE7CEF3790 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbfee83474246972207ebef265887b5067b044547b592d02bb37c545ec936ef
Instruction ID: 4673462035b3fb35ba05a08f7dd141e0f64aab34f1e0c20931758e74a4872fff
Opcode Fuzzy Hash: 5dbfee83474246972207ebef265887b5067b044547b592d02bb37c545ec936ef
Instruction Fuzzy Hash: 1C01797495491DCFDF84EF58C848AAEBBF0FB68305F10456AE419D3260DB71A694CB81

Function 00007FFE7CEF1E4F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e2a8dce37a7b0305e7b8bd7622ab0f89c257acaf1361e3dba07e449fba00c2
Instruction ID: d9bd46180d9920c281c1e060627777395cc7f6fe47461f3d144fae927aa8fb73
Opcode Fuzzy Hash: a9e2a8dce37a7b0305e7b8bd7622ab0f89c257acaf1361e3dba07e449fba00c2
Instruction Fuzzy Hash: D7F04432D6C61E8FEBA989088C5227D73EAEF49301F100178E46DA6660DB396D51CA81

Function 00007FFE7CFC06E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537697212.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cfc0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26caf45a63fac0ff2eb245b745f3875dfff2783fbec8d0b3b946045e5d7bdacf
Instruction ID: 403dabcd2da9640e52e3506afacdeb94fc3a84bb47df79aa70c34148f8821624
Opcode Fuzzy Hash: 26caf45a63fac0ff2eb245b745f3875dfff2783fbec8d0b3b946045e5d7bdacf
Instruction Fuzzy Hash: BFF05E71728E995FD7A8DB1C805962A77E1FBE8B20B5502B9905DC3271CA359D028B01

Function 00007FFE7CFC04FF Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537697212.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cfc0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6602793e1a19af0f3afc31b5f67df915c2f4b8d0b799e6237d9a45f55fd317c9
Instruction ID: ae301edf03ddaac84608db760a3d86bdbb34bd4cee8f6c2fab9faee71f274e92
Opcode Fuzzy Hash: 6602793e1a19af0f3afc31b5f67df915c2f4b8d0b799e6237d9a45f55fd317c9
Instruction Fuzzy Hash: 93F08270728D489FD7D8E71C8068B3637D2FB9C714B1502AA900DC33B1CE25DC418705

Function 00007FFE7CFC211C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537697212.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cfc0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6009cd8c491ab356349baac5d959a759c689e8bda919635eea539a8a11dc0713
Instruction ID: d27b937f203f6cca5473bf55dedfefcfe710194f9644ecb4e3018e4b42cfde00
Opcode Fuzzy Hash: 6009cd8c491ab356349baac5d959a759c689e8bda919635eea539a8a11dc0713
Instruction Fuzzy Hash: 9DF0F871628E088FD7A9EB1C8458B3637D3FBEC715B1512AE905ED33A1DE29DC418741

Function 00007FFE7D112F61 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4984eaea512806a3af977ea38ff78b880cb8578900d764f9d9ca4288ee63c0
Instruction ID: b1142dde0ea97d3ef046968a20795d7be6dd27aa37eab10bf2c17082efda0fa2
Opcode Fuzzy Hash: eb4984eaea512806a3af977ea38ff78b880cb8578900d764f9d9ca4288ee63c0
Instruction Fuzzy Hash: EFF0F43095890EDFCF44EF58C495EED7BA1EB68304F1401A9E41ED32A1DA32E991CB81

Function 00007FFE7CEF0ADD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3fe947f4d438ee21d8b0ad59dc942d29feab213bebff2bd2e2fee1d44b668f9
Instruction ID: f7de31a95e68af0539c4a3e7fbc67e512c1bb087be6808140672528127c91bbe
Opcode Fuzzy Hash: b3fe947f4d438ee21d8b0ad59dc942d29feab213bebff2bd2e2fee1d44b668f9
Instruction Fuzzy Hash: 3F01EC7091CB4C8EE744DF18C8A979A7FE1F7A6728F54009BC048D76DADBB92519CB80

Function 00007FFE7CEF2D70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855c8cd5258e1069d5d2ea526701914d03d9a58e4def025295c1b836c1a4d995
Instruction ID: 5450aef3abc171fe80bb28a06df7cd34cfb69121ea5164addd15537b228596eb
Opcode Fuzzy Hash: 855c8cd5258e1069d5d2ea526701914d03d9a58e4def025295c1b836c1a4d995
Instruction Fuzzy Hash: 0BF0F83492494C9FDF84EF68C848AADBBB4FB68305F4441AAA41ED31A0DB31A694CB40

Function 00007FFE7CFC07CE Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537697212.00007FFE7CFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CFC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cfc0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7eba4fd91bc897913a9e6a5c84b94c867063acf67da188eae0b503f95f931a
Instruction ID: c19930d719529eb9130758b5c6958710b82e2cfb0bdbcf5d3775d0366299123b
Opcode Fuzzy Hash: 9b7eba4fd91bc897913a9e6a5c84b94c867063acf67da188eae0b503f95f931a
Instruction Fuzzy Hash: B4F0DA30618D499FDF98EB1DC498E287BE2FFA93007584558D00EC32A1CA24EC81CB81

Function 00007FFE7D111361 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1982178cfca4193506b76c384f47d488350ab00f437dafa1116977407ae208c8
Instruction ID: 8a93cc8638496062c02d9e614ea0ab10809b9e49a2da16b6fce45abf379fa02f
Opcode Fuzzy Hash: 1982178cfca4193506b76c384f47d488350ab00f437dafa1116977407ae208c8
Instruction Fuzzy Hash: 30F0FE7191880DCFCF84EF58C4549BDB7B0FF64300B54055AE42DE71A1DA31A941CB50

Function 00007FFE7D114681 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e764a09fd4143e649c388b586d1dcd51ef5895f9d2291eec4da999c8d3ba95
Instruction ID: 000c6bf8c9b3a7457acc41e69f5b46a77393f4beb82f9b1e6d96bcbf0d920739
Opcode Fuzzy Hash: 22e764a09fd4143e649c388b586d1dcd51ef5895f9d2291eec4da999c8d3ba95
Instruction Fuzzy Hash: D2F0F83190884E8FDF85EF58C454ABD7BB0FF65304F1405AAE42ED72A1EA31AD41CB40

Function 00007FFE7D1174F1 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f866675fc72830b0e1da36241caced3e2f69e5be2ff69ed956b20f6f34d663
Instruction ID: 828d3793992edff92e74300fdbc53b4e251f11ad4a70847acc5a25b055f8bff8
Opcode Fuzzy Hash: 55f866675fc72830b0e1da36241caced3e2f69e5be2ff69ed956b20f6f34d663
Instruction Fuzzy Hash: 1CF0F83290884EDFDF84EF9CC494ABD77B0FF25300B1405AAD41ED72A1DA31A982CB40

Function 00007FFE7D1162CA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614c0deca5cbc07539b826c313dacc16ad87fdd3459bf73c27d0f5a1f683b41c
Instruction ID: 5ef7c442c6dc4c9161d329e80d23d866596b3f4daa4066aed9b2a21f0ddfa51f
Opcode Fuzzy Hash: 614c0deca5cbc07539b826c313dacc16ad87fdd3459bf73c27d0f5a1f683b41c
Instruction Fuzzy Hash: 7FF097309049598FDBA5EB28C8487E9B7B1EF68741F5041EAD05DD26A6DF359DC2CB00

Function 00007FFE7D111E4B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77de67ddfec094188a9102b9487076c2490f7a4c580a83d328c65692e1aa96e9
Instruction ID: 66c54f2d0d822886d73c7ef7c3f3ce6679f503db7070afb7543cc030ba7741e9
Opcode Fuzzy Hash: 77de67ddfec094188a9102b9487076c2490f7a4c580a83d328c65692e1aa96e9
Instruction Fuzzy Hash: 8AF0A53195881E8FCF84EF88C4949BDB7B0FF68305B1405AAE41ED72A1DA32A941CB50

Function 00007FFE7CEF3332 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101f7aabba2c1206c5ab489bfc9c50169396c477d4cb1a92a4981d0dfb102292
Instruction ID: 01c237e953b371e484157109f261a474ca2943122c153be9c5b1cb3dd69fc39a
Opcode Fuzzy Hash: 101f7aabba2c1206c5ab489bfc9c50169396c477d4cb1a92a4981d0dfb102292
Instruction Fuzzy Hash: E5F0FE3091455D8FDB9CDB28C851B9CB7B2FB58340F5040E6C00DE7696CE315D818F00

Function 00007FFE7CEF0D01 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35eb8ad730f9cbe207f03ebba9db4d58786c7da7875ff41033894b886b97c758
Instruction ID: e832bbd35149f0d19f0a59a8a06fa80c28193d27617b7af239f7314fe873524c
Opcode Fuzzy Hash: 35eb8ad730f9cbe207f03ebba9db4d58786c7da7875ff41033894b886b97c758
Instruction Fuzzy Hash: CFE09B6186D7884FE395B7384D1A2BC7E90EF55300F4805FBD145D54E3DE2960448701

Function 00007FFE7CEF0875 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d42499375de2b2afcd3ef1e389aacdd816e1010db4c5eecdd0c4f98b68bf15
Instruction ID: 0b189ed60317ee9d17e2932c5747a17f4bebff329573cb41b7ece18cd04556e4
Opcode Fuzzy Hash: 85d42499375de2b2afcd3ef1e389aacdd816e1010db4c5eecdd0c4f98b68bf15
Instruction Fuzzy Hash: E4E0C0228AD3C95ED753626C5D111B97B78DF47104F4A01A3E4A8DA4E39A1C59188362

Function 00007FFE7D115E56 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500be497f51f2ec3503d2a61027cf466a6f409ce6d04945bb5aae10678ec1ff2
Instruction ID: 782eb0bed99bb8e86dd1fe6e6d276889378c18974578688de22f1c2c7012a6ab
Opcode Fuzzy Hash: 500be497f51f2ec3503d2a61027cf466a6f409ce6d04945bb5aae10678ec1ff2
Instruction Fuzzy Hash: FAE06532A545598BDB40FB9CDC819EDB3E4FF98310B080472D008C35A2CB25B8418B81

Function 00007FFE7CEF17E9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70367569239ba5de955b634f319f279dea44e99626d0ba13c93f97345851bb1f
Instruction ID: 1d83c39cd4be8f72992abe464a8f03df86e287f5c39a565dbc629ee9b8bf3e72
Opcode Fuzzy Hash: 70367569239ba5de955b634f319f279dea44e99626d0ba13c93f97345851bb1f
Instruction Fuzzy Hash: B7F02234A15A1C8FDF95EB18C895F98B3F5EB68700F1444D5A40DD3266CA70AFC18F41

Function 00007FFE7CEF320B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03967e3f3b3e7a4b6a4f8df5735e9ebd73dedd5ecd287aabab9bd0b8c652e64
Instruction ID: 95db3f654f2f03f89bfa061a9ac1a3580d74511db1075f160cf5c3377d543448
Opcode Fuzzy Hash: d03967e3f3b3e7a4b6a4f8df5735e9ebd73dedd5ecd287aabab9bd0b8c652e64
Instruction Fuzzy Hash: 76E0C233DA880E5BE7C4EA4C9C411FC37A4EF98300F4001B2C41CE2062CF3229424280

Function 00007FFE7CEF2794 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5d61ac976511a5622a91edb49512b60f92ef64965d1f22203d52045b622969
Instruction ID: fbc1f87c635c8b78fca4e89db18e1d18cacb8911e6247945c015292bfd34fb0d
Opcode Fuzzy Hash: 3a5d61ac976511a5622a91edb49512b60f92ef64965d1f22203d52045b622969
Instruction Fuzzy Hash: 53E0E5306769898FE795FF28CC956B972D1FF58308F9404B9E419C32A7DF29A842CB00

Function 00007FFE7D112898 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826bf6d1f7ed7eec3ebb81d9ff722497a07f320ded0c049242e2b2dbeb79419c
Instruction ID: a4cac81702c574fda8e51c3b9d8572551a3bae160c111d8b41afa40bad7babe0
Opcode Fuzzy Hash: 826bf6d1f7ed7eec3ebb81d9ff722497a07f320ded0c049242e2b2dbeb79419c
Instruction Fuzzy Hash: 25E01274624A188FCB95EB18CC92AE9B3B1FF58700F1050E9D00993252CE35BD81CB41

Function 00007FFE7CEF0D74 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8bdb7c8dccd205470f07c5ce9443401a2a12f6b803ef64329f8ebfef6e9cdd
Instruction ID: ff96e2ffe393c04d0339df3f481e8f4a8cc159af40da4f15f94471f71fb38d00
Opcode Fuzzy Hash: 3d8bdb7c8dccd205470f07c5ce9443401a2a12f6b803ef64329f8ebfef6e9cdd
Instruction Fuzzy Hash: 5CD0923195850DAE9B94EF58E8456EDBBA5EF48310F4042ABE40DA21A5DE312A528A40

Function 00007FFE7CEF0DD0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6b28581d0c4886a3a32d8b44ea5a1849a87fce38083819c3fe2d6d49b7fb06
Instruction ID: dc8120ee9fac68309d8e365fd2dea5414234fdeea2306bae85202a5ceaeddb08
Opcode Fuzzy Hash: 4e6b28581d0c4886a3a32d8b44ea5a1849a87fce38083819c3fe2d6d49b7fb06
Instruction Fuzzy Hash: E4D0A93399984EAEEBA18A4CA8150F83B68EB29220F0452B3D42CE2112EF3125428600

Function 00007FFE7D116129 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d707a26a80754261e9ef63a754ee334bb251e43bc5aece409934c917c8cffba0
Instruction ID: 2d10707342f71980dd19803dfa8139440f99dc33109f9d8d4adfe1ef38978681
Opcode Fuzzy Hash: d707a26a80754261e9ef63a754ee334bb251e43bc5aece409934c917c8cffba0
Instruction Fuzzy Hash: 15E0C230918A5A4EEFF19B3848443A83BA0EB4A219F0001E6844CD17A3EF3159818B40

Function 00007FFE7CEF27E0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1537308672.00007FFE7CEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7CEF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7cef0000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c654f505c57645b74590de9af9a7749129a6000ad1170c84967549284a036af
Instruction ID: 2bd2676533dcc90b9cbae5f2fa1b8db6b301a39ee7386b8ae0469c8cf8da3aab
Opcode Fuzzy Hash: 0c654f505c57645b74590de9af9a7749129a6000ad1170c84967549284a036af
Instruction Fuzzy Hash: 1AC0802065E84507F7D877684C531BC1141EF44344B540079901EC15F3CE1D7C010101

Function 00007FFE7D11713E Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538699813.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffe7d110000_j7movK82QT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f552e0b85cb93534b47cd07bb27abb482ffcbfd0b2535e12316b8b745aaa01
Instruction ID: 46b558009d62736121dd761f64b5bf8bd5de4808b9b5a12aa2b97e047f42cfec
Opcode Fuzzy Hash: 86f552e0b85cb93534b47cd07bb27abb482ffcbfd0b2535e12316b8b745aaa01
Instruction Fuzzy Hash: 2FB0926090885C8EAB80EB9884593ACB3A2FB58301B500266800CD7669CFA466004754

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report j7movK82QT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\j7movK82QT.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
j7movK82QT.exe