Edit tour

Windows Analysis Report
rePERU8VUs.exe

Overview

General Information

Sample name:	rePERU8VUs.exe renamed because original name is a hash value
Original sample name:	f8f34f5b5e59ddec8e6f4af8d03a24c45ca1f30fd1e86bdf7d254fc8ee8522bc.exe
Analysis ID:	1554441
MD5:	e481a4ec620c628b495bedda4360eb3f
SHA1:	140f9f957e6e9b6d61d886085e4fae6a29170151
SHA256:	f8f34f5b5e59ddec8e6f4af8d03a24c45ca1f30fd1e86bdf7d254fc8ee8522bc
Tags:	4-251-123-83exeuser-JAMESWT_MHT
Infos:

Detection

Meduza Stealer, PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Meduza Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rePERU8VUs.exe (PID: 2788 cmdline: "C:\Users\user\Desktop\rePERU8VUs.exe" MD5: E481A4EC620C628B495BEDDA4360EB3F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "4.251.123.83:6677"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
rePERU8VUs.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
rePERU8VUs.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
rePERU8VUs.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
rePERU8VUs.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c1d:$s1: file:/// 0x45b55:$s2: {11111-22222-10009-11112} 0x45bad:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c2f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2125398682.0000000000172000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000000.2125398682.0000000000172000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rePERU8VUs.exe PID: 2788	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: rePERU8VUs.exe PID: 2788	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rePERU8VUs.exe PID: 2788	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.rePERU8VUs.exe.170000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.rePERU8VUs.exe.170000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.rePERU8VUs.exe.170000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.0.rePERU8VUs.exe.170000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c1d:$s1: file:/// 0x45b55:$s2: {11111-22222-10009-11112} 0x45bad:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c2f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:57:48.797503+0100	2046056	1	A Network Trojan was detected	4.251.123.83	6677	192.168.2.6	49709	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:57:48.264217+0100	2046045	1	A Network Trojan was detected	192.168.2.6	49709	4.251.123.83	6677	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rePERU8VUs.exe

Avira: detected

Found malware configuration

Source: rePERU8VUs.exe.2788.0.memstrmin

Malware Configuration Extractor: RedLine {"C2 url": "4.251.123.83:6677"}

Multi AV Scanner detection for submitted file

Source: rePERU8VUs.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rePERU8VUs.exe

Joe Sandbox ML: detected

Source: rePERU8VUs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rePERU8VUs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.6:49709 -> 4.251.123.83:6677
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 4.251.123.83:6677 -> 192.168.2.6:49709

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 4.251.123.83:6677

Source: global traffic

TCP traffic: 192.168.2.6:49709 -> 4.251.123.83:6677

Source: Joe Sandbox View

IP Address: 4.251.123.83 4.251.123.83

Source: Joe Sandbox View

ASN Name: LEVEL3US LEVEL3US

Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83

Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: rePERU8VUs.exe, 00000000.00000002.2227663637.000000001B5DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldbll equals www.youtube.com (Youtube)
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002E0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1Response
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2Response
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3Response
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012980000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012980000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012980000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012980000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012980000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\rePERU8VUs.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: rePERU8VUs.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.rePERU8VUs.exe.170000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: rePERU8VUs.exe, Strings.cs

Large array initialization: Strings: array initializer size 6160

Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD348AB125	0_2_00007FFD348AB125
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD348A16B3	0_2_00007FFD348A16B3
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD348AC5E6	0_2_00007FFD348AC5E6
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD348AD459	0_2_00007FFD348AD459
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD349F8E19	0_2_00007FFD349F8E19
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD34A01DC9	0_2_00007FFD34A01DC9
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD349FB90C	0_2_00007FFD349FB90C
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD34A060B9	0_2_00007FFD34A060B9
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD34A0524D	0_2_00007FFD34A0524D
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD349F9E6C	0_2_00007FFD349F9E6C

Source: rePERU8VUs.exe, 00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs rePERU8VUs.exe
Source: rePERU8VUs.exe, 00000000.00000000.2125398682.00000000001FE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGristles.exe" vs rePERU8VUs.exe
Source: rePERU8VUs.exe	Binary or memory string: OriginalFilenameGristles.exe" vs rePERU8VUs.exe

Source: rePERU8VUs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rePERU8VUs.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.rePERU8VUs.exe.170000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: rePERU8VUs.exe, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rePERU8VUs.exe, Class4.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rePERU8VUs.exe, Class4.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\rePERU8VUs.exe

File created: C:\Users\user\AppData\Local\Microsoft\Wind?ws

Jump to behavior

Source: C:\Users\user\Desktop\rePERU8VUs.exe

Mutant created: NULL

Source: rePERU8VUs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rePERU8VUs.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\rePERU8VUs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\rePERU8VUs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\rePERU8VUs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rePERU8VUs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\rePERU8VUs.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rePERU8VUs.exe

ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\rePERU8VUs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: rePERU8VUs.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rePERU8VUs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: rePERU8VUs.exe, Class4.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: rePERU8VUs.exe

Static PE information: 0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]

Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD347D5CB0 push edi; iretd	0_2_00007FFD347D5CB6
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD347D00BD pushad ; iretd	0_2_00007FFD347D00C1
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD347D63EE push ss; retf	0_2_00007FFD347D63EF
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD348A2004 pushad ; retf	0_2_00007FFD348A2005
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Code function: 0_2_00007FFD34A07ED0 pushad ; retf 5F2Bh	0_2_00007FFD34A0B4FD

Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\rePERU8VUs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\rePERU8VUs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: \QEMU-GA.EXE

Source: C:\Users\user\Desktop\rePERU8VUs.exe	Memory allocated: 850000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Memory allocated: 1A760000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\rePERU8VUs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\rePERU8VUs.exe	Window / User API: threadDelayed 838			Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Window / User API: threadDelayed 2825			Jump to behavior

Source: C:\Users\user\Desktop\rePERU8VUs.exe TID: 6240	Thread sleep time: -11068046444225724s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe TID: 4152	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\rePERU8VUs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\rePERU8VUs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: rePERU8VUs.exe, 00000000.00000002.2227766557.000000001B61E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztb
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B07000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\rePERU8VUs.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rePERU8VUs.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\rePERU8VUs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\rePERU8VUs.exe	Queries volume information: C:\Users\user\Desktop\rePERU8VUs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rePERU8VUs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\rePERU8VUs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\rePERU8VUs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\rePERU8VUs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\rePERU8VUs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\rePERU8VUs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\rePERU8VUs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: rePERU8VUs.exe PID: 2788, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: rePERU8VUs.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rePERU8VUs.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2125398682.0000000000172000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: rePERU8VUs.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rePERU8VUs.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2125398682.0000000000172000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rePERU8VUs.exe PID: 2788, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: rePERU8VUs.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rePERU8VUs.exe.170000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: rePERU8VUs.exe, 00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCash
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: rePERU8VUs.exe, 00000000.00000002.2227329200.000000001B580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pData\Roaming\Exodus\exodus.a
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: rePERU8VUs.exe, 00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: rePERU8VUs.exe, 00000000.00000000.2125398682.0000000000172000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\rePERU8VUs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior

Source: Yara match	File source: 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rePERU8VUs.exe PID: 2788, type: MEMORYSTR

Remote Access Functionality

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: rePERU8VUs.exe PID: 2788, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: rePERU8VUs.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rePERU8VUs.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2125398682.0000000000172000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: rePERU8VUs.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rePERU8VUs.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2125398682.0000000000172000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rePERU8VUs.exe PID: 2788, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: rePERU8VUs.exe, type: SAMPLE
Source: Yara match	File source: 0.0.rePERU8VUs.exe.170000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	321 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
rePERU8VUs.exe	61%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
rePERU8VUs.exe	100%	Avira	HEUR/AGEN.1312138
rePERU8VUs.exe	100%	Joe Sandbox ML

Name	Malicious	Antivirus Detection	Reputation
4.251.123.83:6677	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com/api/v9/users/	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field1Response	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rePERU8VUs.exe, 00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ip.sb/ip	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/sc	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012980000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.w3.oh	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field1	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/envelope/	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field2	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field3	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012B52000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012980000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/06/addressingex	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	rePERU8VUs.exe, 00000000.00000002.2224204533.0000000012980000.00000004.00000800.00020000.00000000.sdmp, rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.w3.o	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field3Response	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002A3B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	rePERU8VUs.exe, 00000000.00000002.2224204533.000000001279F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	rePERU8VUs.exe, 00000000.00000002.2214095955.0000000002761000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2002/12/policy	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit	rePERU8VUs.exe, 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
4.251.123.83	unknown	United States		3356	LEVEL3US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554441
Start date and time:	2024-11-12 14:56:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rePERU8VUs.exe renamed because original name is a hash value
Original Sample Name:	f8f34f5b5e59ddec8e6f4af8d03a24c45ca1f30fd1e86bdf7d254fc8ee8522bc.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: rePERU8VUs.exe

Simulations

Behavior and APIs

Time	Type	Description
08:57:52	API Interceptor	17x Sleep call for process: rePERU8VUs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
4.251.123.83	VJoillkb6X.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	9LrEuTWP8s.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	HAeAec7no3.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	EUFOvMxM2H.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	i4w1K6ft2F.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	xMYbN0Yd2a.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	FaZM14kDMN.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	j7movK82QT.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	Z4uyrnCQ8L.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	file.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEVEL3US	VJoillkb6X.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	9LrEuTWP8s.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	HAeAec7no3.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	EUFOvMxM2H.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	i4w1K6ft2F.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	xMYbN0Yd2a.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	FaZM14kDMN.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	j7movK82QT.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	Z4uyrnCQ8L.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	65.90.191.211

Process:	C:\Users\user\Desktop\rePERU8VUs.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2611
Entropy (8bit):	5.363358188931451
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkafHKWA1eXrHKlT48BHK7HKmTHlHNW:iq+wmj0qCYqGSI6oPtzHeqKkGqhA7qZR
MD5:	CEA017D10C4D437981D19F21660A47FA
SHA1:	61AAFCECB5325DE172857CEF7C7E1F230F73AFFD
SHA-256:	60B099420455DECD1878FE84F217CFE478BA0BA5E6E574077150D08355A1DD96
SHA-512:	413384BF9D2EDC9BC2DF6D5175D09A33B91CCF9C53FE3CB21892CB57AF4FD8A9BE0608E9BCA57AF4A7F2709A4C110148719DA3210460DF433CFD77FA753B9CF8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.180207977229517
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	rePERU8VUs.exe
File size:	743'424 bytes
MD5:	e481a4ec620c628b495bedda4360eb3f
SHA1:	140f9f957e6e9b6d61d886085e4fae6a29170151
SHA256:	f8f34f5b5e59ddec8e6f4af8d03a24c45ca1f30fd1e86bdf7d254fc8ee8522bc
SHA512:	2b6b343da1d922d565a2050e39a5a677827b0402fcded2c619b924ecc92b536c7607337906e7dd91fb73959ffdfbfcbde09c25ace9b7871a1341eaf3e188e98b
SSDEEP:	12288:yDDYDzqxxXBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4QiAzojgJO:yDDY3qxx1N9Xo
TLSH:	21F4701C5BBC058CEC8CD531BE20C9326EA04E08919FCB49A569FA151EB6277B3F5BD1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	0e9696961617e982

Static PE Info

General

Entrypoint:	0x44d0ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4d0a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x6a022	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4b0f4	0x4b200	c759740443881595c2078abf6a60e4f7	False	0.4180174968801997	data	6.528743076934387	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4e000	0x6a022	0x6a200	65e4195d76e2641b30f5c060426a53b1	False	0.04090059997055359	data	3.4733020781588206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	3a13fecd19ca9773d82cc3855bc1b8eb	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4e2b0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	0.019047548598988075
RT_ICON	0x902d8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.03903939429788241
RT_ICON	0xa0b00	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.0580460374185411
RT_ICON	0xa9fa8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.08243992606284659
RT_ICON	0xaf430	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.0987836561171469
RT_ICON	0xb3658	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.14284232365145227
RT_ICON	0xb5c00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.22537523452157598
RT_ICON	0xb6ca8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.30901639344262294
RT_ICON	0xb7630	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.4530141843971631
RT_GROUP_ICON	0xb7a98	0x84	data	0.7196969696969697
RT_VERSION	0xb7b1c	0x31c	data	0.4535175879396985
RT_MANIFEST	0xb7e38	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T14:57:48.264217+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.6	49709	4.251.123.83	6677	TCP
2024-11-12T14:57:48.797503+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	4.251.123.83	6677	192.168.2.6	49709	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 14:57:47.363360882 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:47.368212938 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:47.368330956 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:47.399403095 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:47.404247999 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.190304995 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.236007929 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.264216900 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.269063950 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.501347065 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.548391104 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.558876038 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.563738108 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797245979 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797277927 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797337055 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797370911 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797386885 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797404051 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797418118 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.797487974 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.797502995 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797518015 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797533989 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797558069 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797571898 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797574043 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.797616005 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.797920942 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.797977924 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.802432060 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.802448988 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.802479982 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.802498102 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.914350986 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.914374113 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.914414883 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.914447069 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.914455891 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.914500952 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.919094086 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.919110060 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.919126034 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:48.919167995 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:48.970278025 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.124382019 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.129245996 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.129259109 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.129285097 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.129295111 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.129307985 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.129312038 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.129334927 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.129354000 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.129357100 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.129395008 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.129395962 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.129412889 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.129441023 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.129451990 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.130676031 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.130686998 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.130728006 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.134968996 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.134989977 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.135008097 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.135037899 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.135040998 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.135046959 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.135056973 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.135091066 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.135107040 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.135109901 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.135116100 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.135132074 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.135155916 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.135158062 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.135173082 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.135199070 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.135206938 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.135215998 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.135256052 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.135607004 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.135664940 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.140156031 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.140244007 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.140261889 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.140299082 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.140309095 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.140316963 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.140353918 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.140355110 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.140410900 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.140414000 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.140459061 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.141298056 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.141344070 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.141366959 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.141376019 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.141407967 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.141407967 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.141436100 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.141444921 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.141449928 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.141465902 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.141474962 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.141489029 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.141614914 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.141946077 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.141988039 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.142033100 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142043114 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142070055 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142076015 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.142079115 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142115116 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.142548084 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142597914 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142597914 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.142633915 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.142668009 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142677069 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142700911 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.142709970 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142715931 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.142719030 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142740965 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.142756939 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.142782927 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142793894 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.142829895 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.142846107 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.146188021 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146198988 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146215916 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146225929 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146245003 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.146255970 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146265984 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146272898 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.146306038 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146306992 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.146316051 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146331072 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146341085 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146359921 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.146375895 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146378040 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.146384954 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146410942 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146420002 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146945953 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.146955967 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147001982 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147011995 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147041082 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147049904 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147083998 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147093058 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147121906 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147131920 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147165060 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147175074 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147185087 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147532940 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147603035 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147612095 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147629023 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147670031 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147713900 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147722960 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147775888 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147784948 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147891045 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147902012 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147912025 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147963047 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.147972107 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148040056 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148049116 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148102045 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.148108959 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148118973 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148155928 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.148307085 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148385048 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148395061 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148411036 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148420095 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148456097 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148466110 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148494959 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148504019 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.148519993 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.149008036 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.149091005 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.149101019 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.149121046 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.149130106 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.149144888 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.149154902 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.149173975 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.149204969 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.149214029 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.151372910 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.151412964 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.151423931 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.151473999 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.151484013 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.151494026 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152029991 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152050018 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152090073 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152100086 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152110100 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152126074 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152136087 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152160883 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152184963 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152621984 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152657032 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152666092 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152692080 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152700901 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152728081 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152832985 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152842045 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152879000 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152888060 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.152895927 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.153069973 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.153124094 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.153913021 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.153923035 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.153956890 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.153970957 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.153985977 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.153995991 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154045105 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154055119 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154217958 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154227018 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154236078 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154247046 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154256105 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154272079 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154280901 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154289961 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154299974 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154316902 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154325962 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154334068 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154344082 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154354095 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154381037 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154390097 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154397964 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154433012 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154442072 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154449940 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154459953 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154480934 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154489994 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154498100 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154536009 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154545069 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154612064 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154620886 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154660940 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154689074 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154697895 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154716015 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154725075 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154742002 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154751062 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154778004 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154788017 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.154795885 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.155735970 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.155936956 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.155951977 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.155962944 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.155972004 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.155980110 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.155988932 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.157867908 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.157917976 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.157927036 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.157943964 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.157953024 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158004045 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158013105 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158077002 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158092976 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158102036 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158109903 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158123016 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.158159971 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158171892 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158171892 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.158185005 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158195019 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158212900 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158221960 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158246040 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158255100 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158271074 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158279896 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158293962 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158303022 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158333063 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158343077 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158360958 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158371925 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158387899 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158397913 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158443928 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158452988 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158472061 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158479929 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158488989 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158498049 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158520937 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158679008 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158688068 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158694983 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158704996 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158713102 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158723116 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158731937 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158741951 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158751011 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158768892 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158777952 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158785105 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158799887 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158808947 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158818007 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158834934 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.158843994 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163100958 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163117886 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163137913 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163160086 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163244963 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163255930 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163265944 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163275003 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163292885 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163301945 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163304090 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.163331985 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163343906 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163361073 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163362980 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.163372040 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163388014 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163398027 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163408995 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163419962 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163479090 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163490057 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163495064 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163499117 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163516998 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163527012 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163548946 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163558960 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163575888 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163584948 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163606882 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163616896 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163697958 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163707972 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163717985 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163741112 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163773060 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163979053 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163989067 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.163996935 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164006948 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164016008 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164026022 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164036036 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164052963 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164062023 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164071083 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164081097 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164092064 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164100885 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164108992 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164119005 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164128065 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164139032 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.164150000 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168262005 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168271065 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168404102 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.168409109 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168420076 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168427944 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168437004 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168453932 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168457985 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.168464899 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168473959 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168483973 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168545961 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168555975 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168565035 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168576002 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168593884 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168602943 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168612003 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168621063 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168637991 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168648958 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168658018 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168667078 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168678999 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168695927 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168725014 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168730021 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168771029 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168781042 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168797016 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168806076 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168822050 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168831110 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168867111 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168876886 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168891907 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168901920 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168911934 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168921947 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168946981 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168956995 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168987989 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.168998003 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.169023037 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.169032097 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.169047117 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.169056892 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.169141054 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.169152021 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.169159889 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.169169903 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.169179916 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.169188976 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.169198036 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173309088 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173326969 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173404932 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173413992 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173489094 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173497915 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173552990 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.173615932 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.173688889 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173697948 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173706055 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173715115 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173722982 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173732042 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173741102 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173749924 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173759937 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173768997 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173784971 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173794985 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173809052 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173819065 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173887014 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173896074 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173960924 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.173969984 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174027920 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174063921 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174132109 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174140930 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174170017 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174179077 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174288988 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174299002 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174350977 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174360037 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174427986 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174438000 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174623966 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174633026 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174639940 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174649954 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174659014 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174668074 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.174679041 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.218242884 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.218561888 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.218641043 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.218641043 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.218687057 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.268938065 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.269192934 CET	49709	6677	192.168.2.6	4.251.123.83
Nov 12, 2024 14:57:54.274152040 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.982692003 CET	6677	49709	4.251.123.83	192.168.2.6
Nov 12, 2024 14:57:54.998272896 CET	49709	6677	192.168.2.6	4.251.123.83

Target ID:	0
Start time:	08:57:45
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\rePERU8VUs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\rePERU8VUs.exe"
Imagebase:	0x170000
File size:	743'424 bytes
MD5 hash:	E481A4EC620C628B495BEDDA4360EB3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2125398682.0000000000172000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.2125398682.0000000000172000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2214095955.00000000027F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2214095955.000000000280D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD348AD459 Relevance: 3.4, Strings: 2, Instructions: 869
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD348ADB02
d@_H, xrefs: 00007FFD348AD85E

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: $d@_H
API String ID: 0-64309500
Opcode ID: d7c735dbc779d4a4c5c820d587e1e21213e2a80dca3abfd1fbea13c120b7acae
Instruction ID: 2c99bb2506e336d78f58d8f173eb6fe84a1d931564a270afae938bef32dba99b
Opcode Fuzzy Hash: d7c735dbc779d4a4c5c820d587e1e21213e2a80dca3abfd1fbea13c120b7acae
Instruction Fuzzy Hash: 42421321B0EBC50FE7A5DB2C88A55687BE2EF5B314B0901FED58DC71A3D928AC45C352

Function 00007FFD34A01DC9 Relevance: 2.8, Instructions: 2760
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2231938957.00007FFD349F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349f0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2eaaa6eec6ff5af6efcc5251580b829d0c0acd07addd894a9cb221ef3360b8f
Instruction ID: e4978a5fabad5fb4f2a742ab13628057efb8a230dc3b08bab2c7c2cf6fc3deac
Opcode Fuzzy Hash: a2eaaa6eec6ff5af6efcc5251580b829d0c0acd07addd894a9cb221ef3360b8f
Instruction Fuzzy Hash: 88339870A19A5D8FDBA8DF18C895BA9B7F1FB69305F1041EA900DE3251CE35AE81DF40

Function 00007FFD349F8E19 Relevance: 1.9, Strings: 1, Instructions: 696
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

S, xrefs: 00007FFD349F9D4E

Memory Dump Source

Source File: 00000000.00000002.2231938957.00007FFD349F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349f0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: S
API String ID: 0-543223747
Opcode ID: 3bb3c15a5f5460d2b2d2ef1bf610b1699a5152c37f9ca919f6289814c9d3c7ce
Instruction ID: 4cf804ebda1066907c693efd8570e58fa5e7b48831065b0a90796b15f018f6e9
Opcode Fuzzy Hash: 3bb3c15a5f5460d2b2d2ef1bf610b1699a5152c37f9ca919f6289814c9d3c7ce
Instruction Fuzzy Hash: C152BA71E18A2D8FDBA4DF18C8A5BA9B7B1FF59301F5041EAD10DE3295CA346A81DF40

Function 00007FFD348AC5E6 Relevance: 1.9, Strings: 1, Instructions: 642
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[K_H, xrefs: 00007FFD348AC8D1

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: [K_H
API String ID: 0-77839783
Opcode ID: 43d27c9f527dd7fa02f7bb078cbfba712ea1d3609a200afc0d8ead536eef6acf
Instruction ID: df09a3b7807a93d525a93fb6768f0a5bf334dd2cff5f4b1f86060d34c4a62741
Opcode Fuzzy Hash: 43d27c9f527dd7fa02f7bb078cbfba712ea1d3609a200afc0d8ead536eef6acf
Instruction Fuzzy Hash: 4212C671B1DA494FEBE8EB2C84A5668B7D1FF5A300B0401BED54EC72A3DE68EC419741

Function 00007FFD34A0524D Relevance: 1.0, Instructions: 1038COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2231938957.00007FFD349F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349f0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac7311e34bc0ea90cc4a21ac96f5f3317bf409dc88f6295fea6b83430b2ef35
Instruction ID: 2ee4a7329d69c927611bd58b5c4528c30117d17f6561ce4c8ada6f3bc061280d
Opcode Fuzzy Hash: aac7311e34bc0ea90cc4a21ac96f5f3317bf409dc88f6295fea6b83430b2ef35
Instruction Fuzzy Hash: 4C628370B1CA054FEB98EB2CD4A5A7973D2FF99314B5401B9E44EC7292DE28FC429781

Function 00007FFD348A16B3 Relevance: 1.0, Instructions: 985COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecbf55767db173bc088f039b165b93a379a0d9afd6b40df68468e8cca20828f0
Instruction ID: fd67af3d92c6db78612ba0330ab81c08e559a66ce2ffbb3aa25683f06ca284be
Opcode Fuzzy Hash: ecbf55767db173bc088f039b165b93a379a0d9afd6b40df68468e8cca20828f0
Instruction Fuzzy Hash: 5452F630B0DA494FE799D72C94A56757BD1EF9A310F1402BAD04EC72E3CE68AC42D791

Function 00007FFD349FB90C Relevance: .8, Instructions: 781COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2231938957.00007FFD349F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349f0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d946c69cc207edbdf57bcb125ea6463a9a2d46aeda4888d5084f91bb63ac914
Instruction ID: 3e7a731ef49d24c61d12ecf9e7bd2c3aa6451f73532062d4effb4a74d3bf6d22
Opcode Fuzzy Hash: 8d946c69cc207edbdf57bcb125ea6463a9a2d46aeda4888d5084f91bb63ac914
Instruction Fuzzy Hash: 7262EA71A18A198FDBA4EF18C8A5BA9B7B1FF59301F5041E9D10DE3255DE38AD80CF40

Function 00007FFD34A060B9 Relevance: .7, Instructions: 718COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2231938957.00007FFD349F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349f0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e02d771b43553d51a392d74c9d585a1b03565db308ef3334141c178b281e34d
Instruction ID: 997959a40f4011c048b5802d61ec249a677ebf42eb810f4f1df2cfb3171bfe0a
Opcode Fuzzy Hash: 9e02d771b43553d51a392d74c9d585a1b03565db308ef3334141c178b281e34d
Instruction Fuzzy Hash: 2532A370B18A4A8FDB98DB18C4A5BA877E1FF99308F144179D54ED7292DE38F881CB41

Function 00007FFD348AB125 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8e78f20e93a518900bc9f2403e69c14b4a3fe93fca96ce898d149558a014a8
Instruction ID: b0fcd1d301f071196f746f164602db9b70a468d083fc7d67e5ded6a745450542
Opcode Fuzzy Hash: 8c8e78f20e93a518900bc9f2403e69c14b4a3fe93fca96ce898d149558a014a8
Instruction Fuzzy Hash: DC120631B1DA494FE798DB2C94A567977E1FF9A310B0401BEE18EC72A3DE68EC058741

Function 00007FFD347D0DF5 Relevance: 2.8, Strings: 2, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xel4, xrefs: 00007FFD347D176E
Xel4, xrefs: 00007FFD347D0ED7

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: Xel4$Xel4
API String ID: 0-4167912809
Opcode ID: 5f3e19ae4b0e8281aa87e937dd3e2ee64f45a88073132d9f98aa02bba93e6d19
Instruction ID: 5a71a1f0ca7db0677653a45ee5014c70992ef9db53b1a28da6a303b1b4fdbb3b
Opcode Fuzzy Hash: 5f3e19ae4b0e8281aa87e937dd3e2ee64f45a88073132d9f98aa02bba93e6d19
Instruction Fuzzy Hash: C1C1B771A19A1D8FDBA4EB18C898BA9B7F5FB59300F1041E9D10DE7261DB34AE85CF40

Function 00007FFD348AA8BB Relevance: 2.8, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FFD348AA8C3
{K_H, xrefs: 00007FFD348AA8D1

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: H${K_H
API String ID: 0-3814551011
Opcode ID: 3013c41311002f935e151eab9ec3c4b3e44fd9134b9b5283b0dd1c5b3aba86a3
Instruction ID: 449a3a5c1d1b76d24fa2c276652b24681578751bb933c4c12d0c937705931a37
Opcode Fuzzy Hash: 3013c41311002f935e151eab9ec3c4b3e44fd9134b9b5283b0dd1c5b3aba86a3
Instruction Fuzzy Hash: A5614971B0DB884FE7D5DB2C98A55653BE1EF5A310B0401EFE289C72A3D928EC06C351

Function 00007FFD349F77B1 Relevance: 1.8, APIs: 1, Instructions: 254
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FFD349F797F

Memory Dump Source

Source File: 00000000.00000002.2231938957.00007FFD349F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349f0000_rePERU8VUs.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c72c6f122491477ce291e8f7d7873a5bd89a064d20390b35394b4e3861d7f89b
Instruction ID: 541ed0712621c65c088a506645fcad8cf86a4a3aa10f30d461ba47a312155fe7
Opcode Fuzzy Hash: c72c6f122491477ce291e8f7d7873a5bd89a064d20390b35394b4e3861d7f89b
Instruction Fuzzy Hash: AC71A131A18B4C4FEB68DF18D8967E977E1FF59311F10426EE84EC3252CA75A941CB82

Function 00007FFD349F82C1 Relevance: 1.7, APIs: 1, Instructions: 168
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE ref: 00007FFD349F83CA

Memory Dump Source

Source File: 00000000.00000002.2231938957.00007FFD349F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349f0000_rePERU8VUs.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a19a23895c110378bfbe2471afaff72e965327e89b35b7c72e00d4cf2928425d
Instruction ID: dcbbf4abec4fdc159298e3dcf36c69ba1bad27e6b59a9898704d5eab2fc169ef
Opcode Fuzzy Hash: a19a23895c110378bfbe2471afaff72e965327e89b35b7c72e00d4cf2928425d
Instruction Fuzzy Hash: 06418E31A08B1C8FDB58DF98D84A6EDBBE1EB99311F04426ED04DE7256CA74A845CB81

Function 00007FFD34A014A9 Relevance: 1.6, APIs: 1, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateCompatibleBitmap.GDI32 ref: 00007FFD34A0154A

Memory Dump Source

Source File: 00000000.00000002.2231938957.00007FFD349F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349f0000_rePERU8VUs.jbxd

Similarity

API ID: BitmapCompatibleCreate
String ID:
API String ID: 1901715728-0
Opcode ID: ef99a67791a628a27d86dcb5ef3bed8a8386c121cd14d9b8d5eab0a0312b06ab
Instruction ID: 2cc723d022c48ccc4b693a132c1c472b3a0b34cbcd6529f36b02802c1650556c
Opcode Fuzzy Hash: ef99a67791a628a27d86dcb5ef3bed8a8386c121cd14d9b8d5eab0a0312b06ab
Instruction Fuzzy Hash: 95310C31A0CA4C5FDB1CDB6898566F9BBE4EB56321F00427FE04ED3192CA656816C781

Function 00007FFD34A06A69 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteDC.GDI32 ref: 00007FFD34A06B07

Memory Dump Source

Source File: 00000000.00000002.2231938957.00007FFD349F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349f0000_rePERU8VUs.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: 4d40e0c184440fbab12059cd418402062128fde9948b4505c2115cd227cd1924
Instruction ID: 6322a3417150f377b43ce5ad485827e7243263e1cbbc4c2560719ea1dd6cd34c
Opcode Fuzzy Hash: 4d40e0c184440fbab12059cd418402062128fde9948b4505c2115cd227cd1924
Instruction Fuzzy Hash: 9C31233190CB488FDB69DFA888566F97BE0EF56320F0442AFD049C7293CA79A815C751

Function 00007FFD347D0F47 Relevance: 1.6, Strings: 1, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xel4, xrefs: 00007FFD347D176E

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: Xel4
API String ID: 0-2300387716
Opcode ID: 6dd43eea9bac06a18d626bf72504a6c9ad5ffde34ce81f0b5df7e3541d7b9a4e
Instruction ID: dadaa562a229be835ec8d37f5505898c2f7f882ff985b1aa8498d1cd8277c0a5
Opcode Fuzzy Hash: 6dd43eea9bac06a18d626bf72504a6c9ad5ffde34ce81f0b5df7e3541d7b9a4e
Instruction Fuzzy Hash: ABD16174A19A1C8FDBA4EB18C898BA8B7F5FF59301F1441E9D10DE7261CA34AE81CF40

Function 00007FFD348AAD59 Relevance: 1.6, Strings: 1, Instructions: 301
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

vK_H, xrefs: 00007FFD348AADD2

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: vK_H
API String ID: 0-1459341892
Opcode ID: a174d3e9daf1b43e47a6aac6fbe5620cb363295816756fd287f3354ddf43ba22
Instruction ID: 5ba24138bde3e61fdc1399d3ad3ed82c84547cea572667e58b9d31796bac218a
Opcode Fuzzy Hash: a174d3e9daf1b43e47a6aac6fbe5620cb363295816756fd287f3354ddf43ba22
Instruction Fuzzy Hash: B2813831B1DB884FE7E5DB2C98A46A57BD1FF9A310B0401BFE189C72A3DD68AC058351

Function 00007FFD347D1EDE Relevance: 1.5, Strings: 1, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xel4, xrefs: 00007FFD347D176E

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: Xel4
API String ID: 0-2300387716
Opcode ID: 6f1fada67757d8925d689e564c1321a3ca840321e8e76e437d45630c64a098b1
Instruction ID: 3a6bbb7302eddb2c9e38f4f6dd64b4b3be1475fb801cd27412b4013e508f78d3
Opcode Fuzzy Hash: 6f1fada67757d8925d689e564c1321a3ca840321e8e76e437d45630c64a098b1
Instruction Fuzzy Hash: 26B10970A19A19CFDBA9DB18C8A5BA877B5FF5A301F1001E9D50DD7291CB38AE85CF40

Function 00007FFD347D15AE Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

Xel4, xrefs: 00007FFD347D176E

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: Xel4
API String ID: 0-2300387716
Opcode ID: 2e4f07a48d0bbe5d759d67b07b0ef626b58305e13a1ece8b97109dfd65f1b28f
Instruction ID: 2e36a624e366c38bcaed1a77777fe227810463c6a7799424c5810e6ba6e8f878
Opcode Fuzzy Hash: 2e4f07a48d0bbe5d759d67b07b0ef626b58305e13a1ece8b97109dfd65f1b28f
Instruction Fuzzy Hash: F6B18670A196198FDBA9EB58C8A4BA8B7F5FF59300F5041E9D00DE7261CB34AE85CF40

Function 00007FFD348AA5C0 Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD348AA5C8

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: d134a5ea441f60886aa5efbc1b3f956bb85dba99e116bb01f35e87ac124faea0
Instruction ID: 2a0461f9d4fee175935952bcbca9d91e4bc494f21aa93f271dd12c9303b4c64b
Opcode Fuzzy Hash: d134a5ea441f60886aa5efbc1b3f956bb85dba99e116bb01f35e87ac124faea0
Instruction Fuzzy Hash: 15711731B1DB844FE7A5DB2C98A45657BE1EF5A310B0801EFE188C72A3D929EC06C751

Function 00007FFD347D1F71 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

Xel4, xrefs: 00007FFD347D176E

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: Xel4
API String ID: 0-2300387716
Opcode ID: fa4a1ad77332adad66f7933779ec07e7c6d9422da70b06caa38600f5bcde8213
Instruction ID: 642e86219de946a57974e66acf78d1a2c359e97bb51b228bc40aada66066fb01
Opcode Fuzzy Hash: fa4a1ad77332adad66f7933779ec07e7c6d9422da70b06caa38600f5bcde8213
Instruction Fuzzy Hash: 88916574A19A188FDBA9EB58C894BA8B7F5FF59301F1041E9D00DE7261CB75AE81CF40

Function 00007FFD347D1E4F Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

Xel4, xrefs: 00007FFD347D176E

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: Xel4
API String ID: 0-2300387716
Opcode ID: eacb1f47fe5d38c6018e4d289a14773260b2e9dec79bb17309490ed8fdf8c2f4
Instruction ID: a8152aebcaa3dd5fa0af0563f384548a4cf77d00d176982b0494098be0b6ac92
Opcode Fuzzy Hash: eacb1f47fe5d38c6018e4d289a14773260b2e9dec79bb17309490ed8fdf8c2f4
Instruction Fuzzy Hash: 0B81A774A19A198FDBA9EB18C894BA8B7F5FF59301F1001E9D00DE7261CB74AE85CF40

Function 00007FFD347D2CBD Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

Xgk4, xrefs: 00007FFD347D2CF9

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID: Xgk4
API String ID: 0-3319292717
Opcode ID: 37a48f45bc9add42a2517506114c6d7a1824d29e8e33b047101146007b022700
Instruction ID: 253707980c572ba2b2a37c4cb9a79cce791bb2d1e5b576ca859dfc67c80eeffa
Opcode Fuzzy Hash: 37a48f45bc9add42a2517506114c6d7a1824d29e8e33b047101146007b022700
Instruction Fuzzy Hash: C8312675A1D68D9FDB469F6888A81A97FB0FF53304F4400FAD549C70E3DA28A849C781

Function 00007FFD348AA2A1 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49208c898b808fde5b44869af1cb84d1708f07532482bbb3ab53a9e7fb9d6290
Instruction ID: 902706b9e37eb7e8fe5c003b8da23f2a442468374bf6e33377fc5de9d310bee7
Opcode Fuzzy Hash: 49208c898b808fde5b44869af1cb84d1708f07532482bbb3ab53a9e7fb9d6290
Instruction Fuzzy Hash: 2CD10621B0EB880FE7A6DB2C98A56757BE1EF5B310B0901FFD589C71A3DD68AC058351

Function 00007FFD348AA6E0 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ae2be59a7ddb105fad756a2a94969a9a3537bc20af0aba1e4fb9113424d7c0
Instruction ID: 5a7035d27240209cefaf29f84605120fb35b153ff1ac86c7763cfab9b249f176
Opcode Fuzzy Hash: 26ae2be59a7ddb105fad756a2a94969a9a3537bc20af0aba1e4fb9113424d7c0
Instruction Fuzzy Hash: 58A1D731B1DB884FD7E5DB2C98A56657BE1FF9A310B0401BEE189C72A3DA28EC05C751

Function 00007FFD348AC04D Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d01d338c3278620b25c96af8dc330164479ccb9a1477612b57e3603472d193
Instruction ID: b1c44503644df7dbfe45b0d629a40707a7210f7397562768728b2d65f3aaca97
Opcode Fuzzy Hash: b5d01d338c3278620b25c96af8dc330164479ccb9a1477612b57e3603472d193
Instruction Fuzzy Hash: 11A1A261B0EB854FD796DB2C88A55687BE1EF5B210B0901FBD189C71A3D92CAC46C352

Function 00007FFD347D3299 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3ad9b1940fa670c16774f8a6e63ef1a7f19f7fad953aa00f61618ea5050493
Instruction ID: aa4c27462c1398d042d7fccc32be4a9ae3c6a58a77ebaad7f9d2f9b38003b6dc
Opcode Fuzzy Hash: 0c3ad9b1940fa670c16774f8a6e63ef1a7f19f7fad953aa00f61618ea5050493
Instruction Fuzzy Hash: C0C13F71E195598FEBA8DB58C8A57BCB7B1FF5A300F5041BAD00DE3292CE386985DB40

Function 00007FFD348AA9BE Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d648d178eb7befe06f61faa3cad47ef305fafaa5948c736bd556461b2ea4470
Instruction ID: 1414a96184edfe2dc4694edf7f47dfbd3508f1d914c63567038a47f109a6c09b
Opcode Fuzzy Hash: 0d648d178eb7befe06f61faa3cad47ef305fafaa5948c736bd556461b2ea4470
Instruction Fuzzy Hash: DE912A31B1DB884FD7E5DB2C98A56657BE1FF9A310B0401BEE189C32A3D928EC05C751

Function 00007FFD348ABDFC Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7369bbd8de6c55c7827c9cbd7bba49bd7f270d154dba546ceb8594207a003608
Instruction ID: addf7def7617c5e3c282422376f308151017c1c9f1b977858b056646ef761ad6
Opcode Fuzzy Hash: 7369bbd8de6c55c7827c9cbd7bba49bd7f270d154dba546ceb8594207a003608
Instruction Fuzzy Hash: 4081363171DB884FD799DB2C98A45747BE1EF9A310B0A01EBE589C72A3DD28EC06C751

Function 00007FFD348AB20D Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bcf046c0ce195f091292b4a7fb63c213640ece806671c06135f68072c9fcc2
Instruction ID: 95f33ca0ccf5bb7886cc148d44cb783c34d05eacd14c35b1cc4f71d99a1c54f4
Opcode Fuzzy Hash: c5bcf046c0ce195f091292b4a7fb63c213640ece806671c06135f68072c9fcc2
Instruction Fuzzy Hash: F691B531B1DA494FDBE8EB1C94A466877E1FF9A310B0501BAE15EC72A3DE28EC45C741

Function 00007FFD348A22EB Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde04166ee87c23abdd55965c306366c5391d02ba6c72a3ee24e55d482eaa780
Instruction ID: 7b516d4afa61c46c9e19c29351dfcea7e9e17b65b6a46b5c62a6a0e0dd199383
Opcode Fuzzy Hash: cde04166ee87c23abdd55965c306366c5391d02ba6c72a3ee24e55d482eaa780
Instruction Fuzzy Hash: A281D320B0DA494FE7A9D72C94A56757BD1EF9B320F1402BAD14EC72E3DD6CAC428391

Function 00007FFD348AD219 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f114ee99a873e3ddee1db37d297ebbfdd7f91395a5c043f35827bd73a01a1f9c
Instruction ID: bbf802d5009f06c465f2b635b3be33e4dfd1e25d087b91a11135d5464b6dc260
Opcode Fuzzy Hash: f114ee99a873e3ddee1db37d297ebbfdd7f91395a5c043f35827bd73a01a1f9c
Instruction Fuzzy Hash: F071D53170DA884FE799DB2C98A56743BD2EF9B31470902EBE489C72A3DD58AC42C751

Function 00007FFD347D2FF0 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a5556dae91b08ea40023ed709908328fce74ccd23e1a7b6aac4bbd383bc4d8
Instruction ID: 239b6e87e674979f7e1f25c271923fd776325c38b7fd0e06a213731f861e502a
Opcode Fuzzy Hash: 19a5556dae91b08ea40023ed709908328fce74ccd23e1a7b6aac4bbd383bc4d8
Instruction Fuzzy Hash: 1A91F7B1F1DA898FDB54CF5888A46BD7BE1FF9A314F1401BAD04DE3292CE3868058791

Function 00007FFD348AB713 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb9668cf0b6ff4952286590501be8426252836cb3c8cd7c0313694d153ecc08
Instruction ID: b43c2583b41c9b34bfeb9c89cbb843baa52e5dbc0d4d4eba311c745bb169ba46
Opcode Fuzzy Hash: acb9668cf0b6ff4952286590501be8426252836cb3c8cd7c0313694d153ecc08
Instruction Fuzzy Hash: 6A61077171DA484FDBD8DB1C98A5A7577D2FF9A310B4501AFE14AC32A3DE68EC028742

Function 00007FFD347D2E90 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f6d34b8c839a4b3c14ea45d0283e443349f44d52bcef5b4c7d9a1b6bd20e30
Instruction ID: 665cfb9d8ba87c6998e898c5d611132777d749496e0fd7b4a286fbef0692cc75
Opcode Fuzzy Hash: 39f6d34b8c839a4b3c14ea45d0283e443349f44d52bcef5b4c7d9a1b6bd20e30
Instruction Fuzzy Hash: DA91EA70A1991D8FDF94EB58C4A9BADB7F1FF5A300F4001A9D10DE7292DE39A885DB40

Function 00007FFD348AB0F8 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9397cf0d4354bbe77109cda5e8dcc7808ae6aedb54a91b1e721fb1886bf8013d
Instruction ID: 272ee4ea4248c3e8e1d06d04b89e769288b4f52ecbf3076b6fc9df2553d6ab4c
Opcode Fuzzy Hash: 9397cf0d4354bbe77109cda5e8dcc7808ae6aedb54a91b1e721fb1886bf8013d
Instruction Fuzzy Hash: CB713632B1EB844FE7E5DB2C98A55657BD1EF5B310B0800EFE289C72A3D968AC05C351

Function 00007FFD347D25B8 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8c98c8fc609502c2e6c048afb80db4b8d3e6cac83ac46e7f14dc1d57721f0f
Instruction ID: 686f98b372b9e992ae579c96bdcaca74ab3f494ebd1502c0cc34fb22fc368d98
Opcode Fuzzy Hash: ce8c98c8fc609502c2e6c048afb80db4b8d3e6cac83ac46e7f14dc1d57721f0f
Instruction Fuzzy Hash: B381F813B1E6966AE311BBB868B55FA7B60EF43325F0841B6E28CD9083DC1C745AC7D1

Function 00007FFD348A1AE3 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860ccd98a7f0933ffbee6aea92111f99c9fe812fd83ac8084e60e44f69f10d04
Instruction ID: 9487b84f8815966de05c5e596e1ce77571a09ca11e574848e896ba75d472a5d6
Opcode Fuzzy Hash: 860ccd98a7f0933ffbee6aea92111f99c9fe812fd83ac8084e60e44f69f10d04
Instruction Fuzzy Hash: 7941F62270DA890FE799D72C98A55757BD1EF9B32070802BBD14DC72E3DD69AC068351

Function 00007FFD348AC3CA Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30eaf453326b89e1418c45c41a79202ff47813560e0cab3f4a081fc139bff316
Instruction ID: b94b54b1d83d82ea7145ba2b2e20f65d7cdcd7a7eca71dae8e203ea9b39ffdf2
Opcode Fuzzy Hash: 30eaf453326b89e1418c45c41a79202ff47813560e0cab3f4a081fc139bff316
Instruction Fuzzy Hash: 7541A67171DE0D4FEBE8DB0CD4A5A7473D1FB99720B4001AAE14EC3266DE24EC428785

Function 00007FFD347D30DD Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a824e73e57e794893905a9ca42217102e50993e0c2b5968de2fba7902c1bf2
Instruction ID: d68b5cd6bb7698514ead7e1ff448eb2e86ea906fcab78b8d6bc5851400c8840d
Opcode Fuzzy Hash: 32a824e73e57e794893905a9ca42217102e50993e0c2b5968de2fba7902c1bf2
Instruction Fuzzy Hash: 7941FB23B1EA965FE711A7ACA8B51ED7BA0DF43225B0801B7D288C9093DD1C645AC7D1

Function 00007FFD348A031D Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4589f79bde2e066b8d8c8c396b3ccb3a24ed51270c263e988c826d3a1173e0fa
Instruction ID: 5575291f0c0fc44c6ef3c8e1268b8a0ee4f7132cc1b7f3e4c39e9ae16f2f5f35
Opcode Fuzzy Hash: 4589f79bde2e066b8d8c8c396b3ccb3a24ed51270c263e988c826d3a1173e0fa
Instruction Fuzzy Hash: 81411C3170DA854FD7559B2C98A55B57FE1EF9732070902FBD049C72E3D918AC06C791

Function 00007FFD347D2F0D Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b74259c463ef6a4f03910841c97b922ceb257b34c00aa6fbf2e14003ee7b337
Instruction ID: d268fce4abd23d7890d00e43f0f903aeccfe6aac849bf7ce29e3128691e4756a
Opcode Fuzzy Hash: 6b74259c463ef6a4f03910841c97b922ceb257b34c00aa6fbf2e14003ee7b337
Instruction Fuzzy Hash: 32519E71A18A5D8FDB85EFA8C8596EE7BF0FF59305F00057AE408E7252CB34A944CB81

Function 00007FFD348AA737 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb9cfb978c379b6f5fa95c2cf8dc4af33ff0654851de619cfe184a2a8515dd5
Instruction ID: 30f5619b69609caf29cf2cedc9948c56bf5502614bb0618510880165bedcc0f8
Opcode Fuzzy Hash: 1cb9cfb978c379b6f5fa95c2cf8dc4af33ff0654851de619cfe184a2a8515dd5
Instruction Fuzzy Hash: 5E318530B1DA494FD7A8DB1CC4A4A69B7E1FF99300B0445BEE08EC36A2DE28EC45C741

Function 00007FFD347D0A52 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f539aac64fe3843005d165a60294ac982f809a0835d31ce3cd61cafe7267aeb2
Instruction ID: dd13b965fc5e468aaaae9b989c96681dfc261f336953627deb8af7b17d853acb
Opcode Fuzzy Hash: f539aac64fe3843005d165a60294ac982f809a0835d31ce3cd61cafe7267aeb2
Instruction Fuzzy Hash: 1C417271918B588EE794DF58C8A53AA7FF5FBAA304F50016FC009D768ADBB92414C740

Function 00007FFD347D30D0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef38162e93cc0b50393f89238996ce3d634e6f983bdfa4cfe235565a3e8f8a6b
Instruction ID: fd361198380676104ff68a0743301fb1022ef88843db5d272033f024e830054b
Opcode Fuzzy Hash: ef38162e93cc0b50393f89238996ce3d634e6f983bdfa4cfe235565a3e8f8a6b
Instruction Fuzzy Hash: FF21E572F1998D8FEB54DF5C88942AD7BF2FBDA310F14426BD50DE3241DA3868058791

Function 00007FFD348ACAA3 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d5b5c89cedcc519b189c8989cea2959c960af12be137495210bd531e5bb9a4
Instruction ID: 178200cdb6c037e65e1f90fbe1de4daa662c241887ce9518f3b831cf649c2495
Opcode Fuzzy Hash: f9d5b5c89cedcc519b189c8989cea2959c960af12be137495210bd531e5bb9a4
Instruction Fuzzy Hash: 7E21D57270DB484FDB98EB1CD8A1578B7D1FF9632470402BED08EC71A2DE29E8428741

Function 00007FFD348AA914 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97311b6b15fe3ebeabc9ecb8f45c59d93da6734376ba21e0391a2e589c7dbc35
Instruction ID: 44b89cffc059fbeb1656e3c37828d9dc385587ce6c3c656f8be0cc7a80c0fb49
Opcode Fuzzy Hash: 97311b6b15fe3ebeabc9ecb8f45c59d93da6734376ba21e0391a2e589c7dbc35
Instruction Fuzzy Hash: 4721B071B09A884FD7E8DB1CC4A4A29B7D1FF99300B04457EE09EC3665CA24E8418742

Function 00007FFD348AA619 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8963456db6757f75c3578a751d5276d36a08201bad0ba1e832a4c6cf56efc34b
Instruction ID: c605d7735ed99ffb5bedfa38d2cdee40e655d5433ae64979720257d9043e74b1
Opcode Fuzzy Hash: 8963456db6757f75c3578a751d5276d36a08201bad0ba1e832a4c6cf56efc34b
Instruction Fuzzy Hash: 11218371719A494FD7E8DB1CD4A8A69B7E1FF99300F14457ED08EC36A2CA24EC41CB41

Function 00007FFD347D275A Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e536746a9af85ac4480c592a28dc803ff0b4856bcc7a3c35e84d61d14224c3
Instruction ID: 5b1c7e923d5e043091807119b03ef492404499c3730f574ab11c72bc93f137c5
Opcode Fuzzy Hash: 86e536746a9af85ac4480c592a28dc803ff0b4856bcc7a3c35e84d61d14224c3
Instruction Fuzzy Hash: 6121D671A2AA898FF794EF2488B66B977A0FF47300F8404BAE54DC2193DD387855C781

Function 00007FFD348A04FD Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1fe9f286a07a6e78cea744502b58b121fd95aa0d8a73a795afcafa450ae2a1
Instruction ID: f3d00a76f5710fec502162ce34a23d996a9080850d2a095f4f4db0a16f59c976
Opcode Fuzzy Hash: 8e1fe9f286a07a6e78cea744502b58b121fd95aa0d8a73a795afcafa450ae2a1
Instruction Fuzzy Hash: 8B110472B1EA854FE7D59F1C84B42383BD2EF9B710B1401BAE14DD32A2DD28AC45D341

Function 00007FFD348A06E0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1bd80dfe5961e0b35004ac19a0f40bac892abf808cdc3201b0a171fb0234378
Instruction ID: 1ca36f32d6a7dadb87bf43edf74befa006877138988124c5b85b88adc1aa106e
Opcode Fuzzy Hash: b1bd80dfe5961e0b35004ac19a0f40bac892abf808cdc3201b0a171fb0234378
Instruction Fuzzy Hash: 5A110B62B1EA854FE395DB2C84A512977D1FF9B710B19027BD14CC32A3DE3EAC059701

Function 00007FFD348AA2EC Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837b65d2727b44b810264f940b93e72e9c96322e0bbd0798857b80d136045374
Instruction ID: b712cf0f0510e7d388240c2c719c0b5422159e06b9ca08fbb1fe1134c0525dfb
Opcode Fuzzy Hash: 837b65d2727b44b810264f940b93e72e9c96322e0bbd0798857b80d136045374
Instruction Fuzzy Hash: 3911C431B0E9494FEBE8EB1CD8A4A6473E0FF5930071002BAE15DC72A2D959EC409741

Function 00007FFD347D0D01 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695b9652acd86cc1e4f383cacda95b072cb882c672a3454e7fa21cae884a4edd
Instruction ID: fdede8696962a8f941a2ff77f37a04e91920ede3c99f66e9f86de01cdcf72e67
Opcode Fuzzy Hash: 695b9652acd86cc1e4f383cacda95b072cb882c672a3454e7fa21cae884a4edd
Instruction Fuzzy Hash: C901A5B2E1E5899FE795AF2484662BC7BA0FF46314F4105BBD209C60D3DD287844C641

Function 00007FFD348A07CE Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dac552d26af60fc6962b94cd24ceb30243a44a9b3689d3c2259bcf5b2136239
Instruction ID: 33057152d088514ac91b8d648c169f5dc6ee00a90b21b68c0ff626b71853c83d
Opcode Fuzzy Hash: 6dac552d26af60fc6962b94cd24ceb30243a44a9b3689d3c2259bcf5b2136239
Instruction Fuzzy Hash: 11118231B0E9858FDBE5DB1C88A4A287BD1EF57310B1841ADD14DC7292CA6DEC41E786

Function 00007FFD348A2119 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230944783.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27c56b4eb1e2fe2da9fd79621ca404fe8e2866680d53507f50233a678ffebde
Instruction ID: cc9e1b674e834d8b163b887ff9421562129cc8fa39fe019aeaeef55c355b4d47
Opcode Fuzzy Hash: a27c56b4eb1e2fe2da9fd79621ca404fe8e2866680d53507f50233a678ffebde
Instruction Fuzzy Hash: A3018B72709A494FE7E4DB1C88A863533D2EBA9305B04046EE18ED73A1DE29EC41C701

Function 00007FFD347D3775 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edfd6e52fc36446d128fac539976cdfd4cbc514045f12bb74c331068d4d555e4
Instruction ID: 6b55cd2cb620d7c9a8d92d9fc2a7124d7b79fa79ac96f2cb7d03800b83fda6a0
Opcode Fuzzy Hash: edfd6e52fc36446d128fac539976cdfd4cbc514045f12bb74c331068d4d555e4
Instruction Fuzzy Hash: 88015E71908A4D8FDF84EF58C898AEE7BF0FF69300F0005AAD418D72A1D7349554CB80

Function 00007FFD347D2EE0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4818beb7d8ae29dcc8cfdbd57b50aa597e0f3f5d2a8cf0924f18164ce9a7f215
Instruction ID: 73e180364a0b1061d16141a0cf2ad03be81ffe935c0595ef78b97a80d6ec8f84
Opcode Fuzzy Hash: 4818beb7d8ae29dcc8cfdbd57b50aa597e0f3f5d2a8cf0924f18164ce9a7f215
Instruction Fuzzy Hash: C201D670914A0D9FDF84EF68C889AEE7BF0FB69305F10456AE819E3250DB74A594CB80

Function 00007FFD347D0850 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83f00ec1f56c0c5ebc345f52c45ec53a66ad441e6ea085892e132804cf2e392
Instruction ID: 980397719f78502ace71cc54051b3db90afc0be444288e87d1a2ab78315f5e0b
Opcode Fuzzy Hash: b83f00ec1f56c0c5ebc345f52c45ec53a66ad441e6ea085892e132804cf2e392
Instruction Fuzzy Hash: D5018653B1D5D68AD75263ACA8F51F97B60EF43228F4801B2E298D5083DD0C742AE6D2

Function 00007FFD347D2FA8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33013d894c22d45a84f4051c49a236676e2a7d8210ee9c326b4db14c26462f69
Instruction ID: bebc46445586c2b5c3138a07df3a58e0403a77d31c0e02554f7e75925d37b638
Opcode Fuzzy Hash: 33013d894c22d45a84f4051c49a236676e2a7d8210ee9c326b4db14c26462f69
Instruction Fuzzy Hash: 4C01C470914A4DDFDF84EF68C889AEA7BF0FB29305F00056AA819E3254DB34A594CB81

Function 00007FFD347D2F08 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67219346d8a281f75ae41fd9c65d73e3173ac72fe1ddd25d54b8c9a03cb41a63
Instruction ID: 01d4c28417ec064c34da7e3e47ebf7c2adcaf3850347bb5a24c0d0269870923a
Opcode Fuzzy Hash: 67219346d8a281f75ae41fd9c65d73e3173ac72fe1ddd25d54b8c9a03cb41a63
Instruction Fuzzy Hash: 5201B67091490D8FDF84EFA8C898AAE7BF0FF69305F10456AE41DD3250DB30A694CB80

Function 00007FFD347D21F9 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e44f04b6ea461f19c55e88317793925189568eb64d6e39b5920658ce566f8b
Instruction ID: 67d9822b511f64d1bdfe2c1945f6b1c33b10fc7ef698997c26fa9c0220b37f02
Opcode Fuzzy Hash: a3e44f04b6ea461f19c55e88317793925189568eb64d6e39b5920658ce566f8b
Instruction Fuzzy Hash: E9014F70A1868D8FCB85EF68C8586AE7BF0FF5A300F4505DAE418C72A2D734E914CB40

Function 00007FFD347D3790 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a45a3da5e92f84b4d35d0173d5d24c3bffe590e1f948867afabfbaf7b857c3b
Instruction ID: 95f8b12f9fbdaa93d05d875bbc6cd78b70f8892eea44b9e2b1488cb92750ad41
Opcode Fuzzy Hash: 5a45a3da5e92f84b4d35d0173d5d24c3bffe590e1f948867afabfbaf7b857c3b
Instruction Fuzzy Hash: 5201797091491D8FDF84EF58C898AAE7BF0FB69305F10456AE419D3260DB71A694CB81

Function 00007FFD347D0D99 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d886e24eb1cc331bd85f6e1e6c3ddbed59bf096d2c31e5c83b0e4cc0be279fd
Instruction ID: f1b1bfcf23120fad7feebaa89cc48218edeb24d31428d2698bc9087200bc36b5
Opcode Fuzzy Hash: 8d886e24eb1cc331bd85f6e1e6c3ddbed59bf096d2c31e5c83b0e4cc0be279fd
Instruction Fuzzy Hash: 2FF028B2D1E7C88FE7529B2444691987FB0EF5B210F0500EBD508C70D3D9283488C340

Function 00007FFD347D2D70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166b8eb897dbd196e916ba460d730ddf1393018a18ea00a73403a0f75c03ed67
Instruction ID: 384beba4e81ab3eb98838149e7a1fbacc6e77fde6938aa7edf6bc137a97677fb
Opcode Fuzzy Hash: 166b8eb897dbd196e916ba460d730ddf1393018a18ea00a73403a0f75c03ed67
Instruction Fuzzy Hash: BCF0F83091494C9FDF84EFA8C498AA9BBB0FB69305F4041AAE40ED3190DB31AA94CB40

Function 00007FFD347D0873 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2230547432.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd347d0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05506f2e23e16ab725d58f0d8bcdb84efb86f17a7663d0f40633e5f9dd3f4c79
Instruction ID: e1236bfd53394f6754c3ab185dca44e05480e19c1269512f1e05be4d8159101d
Opcode Fuzzy Hash: 05506f2e23e16ab725d58f0d8bcdb84efb86f17a7663d0f40633e5f9dd3f4c79
Instruction Fuzzy Hash: ECF039A191E3C98FD75327B418A41A97B30AF97208F4901F3E188DA4D3D92C692CD3A3

Non-executed Functions

Function 00007FFD349F9E6C Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2231938957.00007FFD349F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD349F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd349f0000_rePERU8VUs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404650fe7d9f07f5c51116917368e742e3d5a32b85fcfb2d6f11e80fff2bb441
Instruction ID: 8eb739674a137ae64d5aeb097fb2ce56e853a3e80eea85620ed78df788c53d63
Opcode Fuzzy Hash: 404650fe7d9f07f5c51116917368e742e3d5a32b85fcfb2d6f11e80fff2bb441
Instruction Fuzzy Hash: 27D1E971E189198FDBA8EF18C8A5BA9B7B1FF59305F5041E9D10DE3291CA34AE81CF40

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rePERU8VUs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rePERU8VUs.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
rePERU8VUs.exe

Function 00007FFD348AD459 Relevance: 3.4, Strings: 2, Instructions: 869
COMMON

Function 00007FFD34A01DC9 Relevance: 2.8, Instructions: 2760
COMMON

Function 00007FFD349F8E19 Relevance: 1.9, Strings: 1, Instructions: 696
COMMON

Function 00007FFD348AC5E6 Relevance: 1.9, Strings: 1, Instructions: 642
COMMON

Function 00007FFD347D0DF5 Relevance: 2.8, Strings: 2, Instructions: 312
COMMON

Function 00007FFD348AA8BB Relevance: 2.8, Strings: 2, Instructions: 250
COMMON

Function 00007FFD349F77B1 Relevance: 1.8, APIs: 1, Instructions: 254
fileCOMMON

Function 00007FFD349F82C1 Relevance: 1.7, APIs: 1, Instructions: 168
fileCOMMON

Function 00007FFD34A014A9 Relevance: 1.6, APIs: 1, Instructions: 117
windowCOMMON

Function 00007FFD34A06A69 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Function 00007FFD347D0F47 Relevance: 1.6, Strings: 1, Instructions: 318
COMMON

Function 00007FFD348AAD59 Relevance: 1.6, Strings: 1, Instructions: 301
COMMON

Function 00007FFD347D1EDE Relevance: 1.5, Strings: 1, Instructions: 297
COMMON