Edit tour

Windows Analysis Report
pdusf6w2SJ.exe

Overview

General Information

Sample name:	pdusf6w2SJ.exe renamed because original name is a hash value
Original sample name:	41085a0b812617eaf8124548ea23a71c.exe
Analysis ID:	1557068
MD5:	41085a0b812617eaf8124548ea23a71c
SHA1:	68157e5cd95221a6e59ce19dfd72ab9741052d1a
SHA256:	14f4f088a5819dbc02cdd63e5fc0784e2b7817d9db354fb393f4f06a20502837
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RedLine Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

pdusf6w2SJ.exe (PID: 6764 cmdline: "C:\Users\user\Desktop\pdusf6w2SJ.exe" MD5: 41085A0B812617EAF8124548EA23A71C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["147.45.44.221:1912"], "Bot Id": "FIMOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
pdusf6w2SJ.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1707853864.0000000000E42000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: pdusf6w2SJ.exe PID: 6764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: pdusf6w2SJ.exe PID: 6764	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.pdusf6w2SJ.exe.e40000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET MALWARE Redline Stealer TCP CnC - Id1Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T09:42:03.564210+0100	2043234	1	A Network Trojan was detected	147.45.44.221	1912	192.168.2.4	49730	TCP

ET MALWARE Redline Stealer TCP CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T09:42:03.313425+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49730	147.45.44.221	1912	TCP
2024-11-17T09:42:08.756561+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49730	147.45.44.221	1912	TCP
2024-11-17T09:42:11.770547+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49730	147.45.44.221	1912	TCP
2024-11-17T09:42:12.219619+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49730	147.45.44.221	1912	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T09:42:10.793067+0100	2046056	1	A Network Trojan was detected	147.45.44.221	1912	192.168.2.4	49730	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T09:42:03.313425+0100	2046045	1	A Network Trojan was detected	192.168.2.4	49730	147.45.44.221	1912	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: 147.45.44.221:1912

Avira URL Cloud: Label: malware

Found malware configuration

Source: pdusf6w2SJ.exe

Malware Configuration Extractor: RedLine {"C2 url": ["147.45.44.221:1912"], "Bot Id": "FIMOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Multi AV Scanner detection for domain / URL

Source: 147.45.44.221:1912

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Source: pdusf6w2SJ.exe	ReversingLabs: Detection: 71%
Source: pdusf6w2SJ.exe	Virustotal: Detection: 70%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: pdusf6w2SJ.exe

Joe Sandbox ML: detected

Source: pdusf6w2SJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: pdusf6w2SJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 4x nop then jmp 05D0BC97h	0_2_05D0B538
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 4x nop then jmp 05D0EFABh	0_2_05D0ECE8
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 4x nop then jmp 05D0C262h	0_2_05D0BE40
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 4x nop then jmp 05D0C6E2h	0_2_05D0BE40
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 4x nop then jmp 05D0CBC3h	0_2_05D0C910
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 4x nop then jmp 05D09E53h	0_2_05D09E3B
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 4x nop then inc dword ptr [ebp-20h]	0_2_05D02190
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 4x nop then jmp 075C1CC8h	0_2_075C17D0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49730 -> 147.45.44.221:1912
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49730 -> 147.45.44.221:1912
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 147.45.44.221:1912 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 147.45.44.221:1912 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 147.45.44.221:1912

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.45.44.221:1912

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.221

Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp, pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp, pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003256000.00000004.00000800.00020000.00000000.sdmp, pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: pdusf6w2SJ.exe	String found in binary or memory: https://api.ip.sb/ip
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_017C25D8	0_2_017C25D8
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_017CDC74	0_2_017CDC74
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_0573EFF8	0_2_0573EFF8
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_057389F0	0_2_057389F0
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05730040	0_2_05730040
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_0573001B	0_2_0573001B
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_057389E0	0_2_057389E0
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D08DE8	0_2_05D08DE8
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D09550	0_2_05D09550
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D0B538	0_2_05D0B538
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D0A528	0_2_05D0A528
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D074D0	0_2_05D074D0
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D087A8	0_2_05D087A8
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D0E6C8	0_2_05D0E6C8
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D0BE40	0_2_05D0BE40
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D0C910	0_2_05D0C910
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D0AB68	0_2_05D0AB68
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D07A30	0_2_05D07A30
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D04DD0	0_2_05D04DD0
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D08DD7	0_2_05D08DD7
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D0A518	0_2_05D0A518
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D074C0	0_2_05D074C0
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D08798	0_2_05D08798
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D0BE3D	0_2_05D0BE3D
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D059E8	0_2_05D059E8
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D05118	0_2_05D05118
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D003B0	0_2_05D003B0
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D003A0	0_2_05D003A0
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D0D280	0_2_05D0D280
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05D07A20	0_2_05D07A20
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_075C17D0	0_2_075C17D0
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_075C45B8	0_2_075C45B8
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_075CD4C8	0_2_075CD4C8
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_075C92C0	0_2_075C92C0
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_075C0040	0_2_075C0040
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_075CD020	0_2_075CD020
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_075C39A8	0_2_075C39A8

Source: pdusf6w2SJ.exe, 00000000.00000002.1819568823.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs pdusf6w2SJ.exe
Source: pdusf6w2SJ.exe, 00000000.00000000.1707943231.0000000000E86000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs pdusf6w2SJ.exe
Source: pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs pdusf6w2SJ.exe
Source: pdusf6w2SJ.exe	Binary or memory string: OriginalFilenameSteanings.exe8 vs pdusf6w2SJ.exe

Source: pdusf6w2SJ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

File created: C:\Users\user\AppData\Local\SystemCache

Jump to behavior

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

Mutant created: NULL

Source: pdusf6w2SJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: pdusf6w2SJ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: pdusf6w2SJ.exe	ReversingLabs: Detection: 71%
Source: pdusf6w2SJ.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: pdusf6w2SJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: pdusf6w2SJ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: pdusf6w2SJ.exe

Static PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_0573D5E2 push eax; ret	0_2_0573D5F1
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_05733295 push B1E89005h; iretd	0_2_0573329C
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_075CCF7F push FFFFFF8Bh; iretd	0_2_075CCF82
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_075CCF20 push FFFFFF8Bh; iretd	0_2_075CCF2E
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_075CCEDF push FFFFFF8Bh; iretd	0_2_075CCEE3
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Code function: 0_2_075CCE9A push FFFFFF8Bh; iretd	0_2_075CCE9E

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Memory allocated: 17C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Memory allocated: 5160000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Window / User API: threadDelayed 891			Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Window / User API: threadDelayed 1925			Jump to behavior

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe TID: 1344	Thread sleep time: -10145709240540247s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe TID: 6812	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: pdusf6w2SJ.exe, 00000000.00000002.1819568823.00000000014E1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

Code function: 0_2_05D06EC8 LdrInitializeThunk,

0_2_05D06EC8

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Users\user\Desktop\pdusf6w2SJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: pdusf6w2SJ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.pdusf6w2SJ.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1707853864.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pdusf6w2SJ.exe PID: 6764, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\pdusf6w2SJ.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pdusf6w2SJ.exe PID: 6764, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: pdusf6w2SJ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.pdusf6w2SJ.exe.e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1707853864.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pdusf6w2SJ.exe PID: 6764, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pdusf6w2SJ.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.RedLineStealz
pdusf6w2SJ.exe	70%	Virustotal		Browse
pdusf6w2SJ.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
147.45.44.221:1912	100%	Avira URL Cloud	malware
147.45.44.221:1912	14%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
147.45.44.221:1912	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id23ResponseD	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003256000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id12Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id2Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp, pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id21Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id9	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id8	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id5	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id4	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id7	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id6	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id19Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id15Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id6Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ip.sb/ip	pdusf6w2SJ.exe	false	high
http://schemas.xmlsoap.org/ws/2004/04/sc	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id1ResponseD	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id9Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id20	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id21	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id22	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id23	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id24	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id24Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id1Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id10	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id11	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id12	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id16Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id13	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id14	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id15	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id16	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id17	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id18	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id5Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id19	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id10Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id8Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/envelope/	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtabS	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003703000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id3ResponseD	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003256000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id23Response	pdusf6w2SJ.exe, 00000000.00000002.1820283806.0000000003161000.00000004.00000800.00020000.00000000.sdmp, pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/D	pdusf6w2SJ.exe, 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.44.221	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557068
Start date and time:	2024-11-17 09:41:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pdusf6w2SJ.exe renamed because original name is a hash value
Original Sample Name:	41085a0b812617eaf8124548ea23a71c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 45 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:42:09	API Interceptor	16x Sleep call for process: pdusf6w2SJ.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.45.44.221	5ffe9c7df144e58c04f8d77c33849dcf93dc0ada47717.exe	Get hash	malicious	Stealc, Vidar	Browse	147.45.44.221/28166bd28a5d19e6.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	0a0#U00a0.js	Get hash	malicious	RHADAMANTHYS	Browse	192.229.221.95
	file.exe	Get hash	malicious	Stealc	Browse	192.229.221.95
	q1M9Xfi0yC.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	iZRt9uAa2V.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	q1M9Xfi0yC.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	iZRt9uAa2V.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	ADZP 20 Complex.exe	Get hash	malicious	Babadeda, Wiper	Browse	192.229.221.95
	ADZP 20 Complex.bat	Get hash	malicious	Wiper	Browse	192.229.221.95
	Specifications.exe	Get hash	malicious	DarkTortilla, MassLogger RAT	Browse	192.229.221.95
	Dark_drop_2_pers_lum_clean.exe.bin.exe	Get hash	malicious	LummaC, DarkGate, LummaC Stealer, MailPassView	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	ppc.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	hmips.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	file.exe	Get hash	malicious	DanaBot	Browse	193.233.232.101
	xd.spc.elf	Get hash	malicious	Mirai	Browse	193.233.234.114
	RECIBO TRANSFERENCIA#0000078.exe	Get hash	malicious	Unknown	Browse	193.233.203.63
	RECIBO TRANSFERENCIA#0000078.exe	Get hash	malicious	Unknown	Browse	193.233.203.63
	n7ZKbApaa3.dll	Get hash	malicious	LummaC, Xmrig	Browse	147.45.47.81
	nlJ2sNaZVi.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	147.45.47.61
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	147.45.47.61

Process:	C:\Users\user\Desktop\pdusf6w2SJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3094
Entropy (8bit):	5.33145931749415
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
MD5:	3FD5C0634443FB2EF2796B9636159CB6
SHA1:	366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
SHA-256:	58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
SHA-512:	8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.082222552122564
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	pdusf6w2SJ.exe
File size:	307'712 bytes
MD5:	41085a0b812617eaf8124548ea23a71c
SHA1:	68157e5cd95221a6e59ce19dfd72ab9741052d1a
SHA256:	14f4f088a5819dbc02cdd63e5fc0784e2b7817d9db354fb393f4f06a20502837
SHA512:	36d63aedf130bc186847d272af7ca4369ee62bff2c9c5669921c206fc6debbc1194b23a11d8697763604b55f3b51015e993ba9beb5cb9d350685693da7bc0967
SSDEEP:	3072:WcZqf7D34up/0+mACkyI+EQEjgWvB1fA0PuTVAtkxzM3RIeqiOL2bBOA:WcZqf7DIWnGfEtB1fA0GTV8kSIL
TLSH:	11645A5833E8C910DA7F4775D861D67093B0BCA3A556E70B4FC4ACAB3D32740EA50AB6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@................................

File Icon


Icon Hash:	4d8ea38d85a38e6d

Static PE Info

General

Entrypoint:	0x4302de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x30290	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32000	0x1c9c6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x50000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2e2e4	0x2e400	0d31852f7d3a934053509a85a2c6d1b3	False	0.4750422297297297	data	6.187357522789809	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x32000	0x1c9c6	0x1ca00	a8cf3f8ff27a4a736ba8fb433d91107f	False	0.2380765556768559	data	2.615031395625776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x50000	0xc	0x200	9cf8688692d56eec2446fe27d31fe01a	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x32220	0x3d04	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9934058898847631
RT_ICON	0x35f24	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	0.09013072282030049
RT_ICON	0x4674c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.13905290505432216
RT_ICON	0x4a974	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.17033195020746889
RT_ICON	0x4cf1c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.2045028142589118
RT_ICON	0x4dfc4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.24645390070921985
RT_GROUP_ICON	0x4e42c	0x5a	data	0.7666666666666667
RT_VERSION	0x4e488	0x352	data	0.4447058823529412
RT_MANIFEST	0x4e7dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-17T09:42:03.313425+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	147.45.44.221	1912	TCP
2024-11-17T09:42:03.313425+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.4	49730	147.45.44.221	1912	TCP
2024-11-17T09:42:03.564210+0100	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	1	147.45.44.221	1912	192.168.2.4	49730	TCP
2024-11-17T09:42:08.756561+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	147.45.44.221	1912	TCP
2024-11-17T09:42:10.793067+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	147.45.44.221	1912	192.168.2.4	49730	TCP
2024-11-17T09:42:11.770547+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	147.45.44.221	1912	TCP
2024-11-17T09:42:12.219619+0100	2043231	ET MALWARE Redline Stealer TCP CnC Activity	1	192.168.2.4	49730	147.45.44.221	1912	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2024 09:42:02.279289007 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:02.284665108 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:02.284897089 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:02.292418957 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:02.297485113 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:03.137079000 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:03.187908888 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:03.313425064 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:03.318485975 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:03.564209938 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:03.609945059 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:08.756561041 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:08.761681080 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:09.073472023 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:09.073523045 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:09.073539019 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:09.073558092 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:09.073577881 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:09.073595047 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:09.073612928 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:09.073844910 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.787548065 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.793066978 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.793106079 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.793133974 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.793163061 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.793190956 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.793246031 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.793273926 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.793279886 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.793304920 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.793333054 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.793366909 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.793389082 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.793433905 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.798254013 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798305988 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798332930 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798482895 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.798644066 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798674107 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798702002 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798728943 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798757076 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798813105 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798841000 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798851967 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.798868895 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798897028 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798926115 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.798981905 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.798983097 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.799058914 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.804249048 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804276943 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804287910 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804300070 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804358006 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804369926 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804380894 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804392099 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804418087 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804429054 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804455996 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804482937 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804539919 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804568052 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804595947 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804611921 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.804624081 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804651976 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804678917 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804707050 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804713964 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.804713964 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.804733038 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804764986 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.804785013 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804811954 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.804812908 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804841995 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804857016 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.804872036 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804886103 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.804902077 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804928064 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.804929972 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804958105 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.804982901 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.804985046 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.805028915 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.805054903 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.809900999 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810081959 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.810281038 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810309887 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810337067 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810369968 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810372114 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.810399055 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810426950 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810468912 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810497999 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810498953 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.810511112 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810537100 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.810539007 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810595036 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.810599089 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810626030 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810668945 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810695887 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810726881 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810756922 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810784101 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810811043 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810837984 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810915947 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810944080 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810971022 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.810997009 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811024904 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811052084 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811081886 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811110020 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811166048 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811193943 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811220884 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811249018 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811275005 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811301947 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811347961 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811376095 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811403036 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811455011 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811484098 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811511993 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811538935 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811566114 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811592102 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811619043 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811645985 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811702013 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811729908 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811736107 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.811757088 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811784029 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811813116 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811841011 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811872959 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811875105 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.811901093 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811928988 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.811956882 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812009096 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812036037 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812062979 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812089920 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812118053 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812144995 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812186003 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812212944 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812251091 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812278032 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812304020 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812342882 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812372923 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812382936 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.812391996 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.815129042 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.817543030 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.817569971 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.817588091 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.817599058 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.817738056 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.817764997 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.817800999 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.817830086 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.817970991 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.817998886 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818030119 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818056107 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818125963 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818154097 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818181038 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818232059 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818258047 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818284988 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818334103 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818361044 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818388939 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818438053 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818464994 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818491936 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818519115 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818568945 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818597078 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818624973 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818651915 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818655968 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.818679094 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818720102 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818773985 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818778992 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.818802118 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818840027 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818933010 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.818974972 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819004059 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819031000 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819057941 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819108963 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819137096 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819164038 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819190979 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819217920 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819245100 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819272041 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819299936 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819344997 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819370985 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819397926 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819425106 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819452047 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819478989 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819567919 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819595098 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819622993 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819650888 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819678068 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819717884 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819745064 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819772959 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819798946 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819825888 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819852114 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819880962 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819906950 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819932938 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.819974899 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.820002079 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.820031881 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.820044041 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.820070028 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.820096970 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825392962 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825421095 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825448990 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825475931 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825504065 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825530052 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825589895 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825618029 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825644970 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825701952 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825736046 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825747013 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825754881 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825783014 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825809956 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825838089 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825848103 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.825865030 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825894117 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825921059 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825948954 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.825977087 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826004028 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826021910 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.826031923 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826060057 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826086044 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826113939 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826141119 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826167107 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826194048 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826221943 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826272011 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826313972 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826355934 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826384068 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826411009 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826468945 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826497078 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826523066 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826550007 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826576948 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826603889 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826630116 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826658010 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826684952 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826710939 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826738119 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826765060 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826792955 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826819897 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826845884 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826874971 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826901913 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.826929092 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832180977 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832209110 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832221031 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832232952 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832243919 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832254887 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832290888 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832302094 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832313061 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832324982 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832336903 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832349062 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832360029 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832372904 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832384109 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832396030 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832406998 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832434893 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832462072 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832489014 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832515955 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832544088 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832595110 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832623005 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832650900 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832679987 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832705975 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832732916 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832760096 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832787037 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832813025 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832839966 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832870007 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832896948 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832922935 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832951069 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.832952976 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.832978010 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833018064 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833045959 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833072901 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833100080 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833126068 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833158016 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.833178997 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833206892 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833234072 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833261013 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833287001 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833313942 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833340883 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833368063 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833395004 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833421946 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.833448887 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.838356018 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.838743925 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.838772058 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.838778019 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.838799000 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.838828087 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.838880062 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.838908911 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.838936090 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.838952065 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.838963985 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.838993073 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839020967 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839047909 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839075089 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839102983 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839129925 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839157104 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839184046 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839210987 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839237928 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839265108 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839292049 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839370966 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839400053 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839427948 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839454889 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839482069 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839509964 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839536905 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839562893 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839591026 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839617968 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839646101 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839673042 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839699984 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839726925 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839754105 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839782000 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839808941 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839835882 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839863062 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839890957 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839916945 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839943886 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839970112 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.839997053 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.840028048 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.840085030 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.840125084 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.840152025 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.840178967 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.840204954 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.840244055 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.840270996 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845118046 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845536947 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845566034 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845593929 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845637083 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.845649004 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845675945 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845731974 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845761061 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845788956 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845805883 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.845818996 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845846891 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845875025 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845901966 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845928907 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845956087 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.845983028 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846010923 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846038103 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846065044 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846091986 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846118927 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846172094 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846199036 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846225977 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846256018 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846282005 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846322060 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846349001 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846376896 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846404076 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846431017 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846457958 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846484900 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846512079 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846539021 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846565008 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846591949 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846618891 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846646070 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846672058 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846698999 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846725941 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846751928 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.846805096 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.889777899 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.890244961 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.890491009 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.890491009 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.890645027 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.930500031 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.930785894 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:10.936032057 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:10.977830887 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:11.769181967 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:11.770546913 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:11.775779963 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:12.020416021 CET	1912	49730	147.45.44.221	192.168.2.4
Nov 17, 2024 09:42:12.063136101 CET	49730	1912	192.168.2.4	147.45.44.221
Nov 17, 2024 09:42:12.219619036 CET	49730	1912	192.168.2.4	147.45.44.221

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 17, 2024 09:42:20.449826002 CET	1.1.1.1	192.168.2.4	0x1c1d	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 17, 2024 09:42:20.449826002 CET	1.1.1.1	192.168.2.4	0x1c1d	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:41:59
Start date:	17/11/2024
Path:	C:\Users\user\Desktop\pdusf6w2SJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\pdusf6w2SJ.exe"
Imagebase:	0xe40000
File size:	307'712 bytes
MD5 hash:	41085A0B812617EAF8124548EA23A71C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1707853864.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1820283806.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.4%
Total number of Nodes:	147
Total number of Limit Nodes:	14

Executed Functions

Function 075CD020 Relevance: 17.9, Strings: 14, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 075CD925
$^q, xrefs: 075CD8D8
4c^q, xrefs: 075CD6F9
Hbq, xrefs: 075CD484
4c^q, xrefs: 075CD6DD
LR^q, xrefs: 075CD02D
4|cq, xrefs: 075CDE6D
4'^q, xrefs: 075CDA76
4c^q, xrefs: 075CD6EF
Hbq, xrefs: 075CD453
Hbq, xrefs: 075CD40C
$^q, xrefs: 075CD935
$^q, xrefs: 075CDA67
Hbq, xrefs: 075CD3DB

Memory Dump Source

Source File: 00000000.00000002.1828208520.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID: 4'^q$4c^q$4c^q$4c^q$4|cq$Hbq$Hbq$Hbq$Hbq$LR^q$$^q$$^q$$^q$$^q
API String ID: 0-193136497
Opcode ID: 1d1284f7882d0bd4c632599bce0ac6aa368bec83c35daf9fc2561e8876c748b7
Instruction ID: 05e5d64dff5a1bc1ed4f85a4841aa175659cb212524e7d577fa1dd11da4b8c8e
Opcode Fuzzy Hash: 1d1284f7882d0bd4c632599bce0ac6aa368bec83c35daf9fc2561e8876c748b7
Instruction Fuzzy Hash: C3E1A2B0B042568FDB19DBB9C4503BEBBF2BF86600F14847ED445DB291EA39D942C791

Function 075C92C0 Relevance: 16.2, Strings: 12, Instructions: 1191COMMON

Download Yara Rule

Strings

c^q, xrefs: 075C9C8E
$^q, xrefs: 075C9965
,bq, xrefs: 075C9EDF
Nv]q, xrefs: 075C95C8
$^q, xrefs: 075C994B
Hbq, xrefs: 075CA07A
4c^q, xrefs: 075C9C54
$^q, xrefs: 075CA2E3
(_^q, xrefs: 075C9D76
c^q, xrefs: 075C9C74
(_^q, xrefs: 075C9D5C
4c^q, xrefs: 075C9C3A

Memory Dump Source

Source File: 00000000.00000002.1828208520.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$,bq$4c^q$4c^q$Hbq$Nv]q$$^q$$^q$$^q$c^q$c^q
API String ID: 0-692146702
Opcode ID: 05f24a4e880e15e73fa63621275565f33a0162efcaab750a33cc8e028868d679
Instruction ID: 9ab77d8c29622cc1a39a8e0ba10a0f190b8a5a53adca357a3d84e9ed913ae11e
Opcode Fuzzy Hash: 05f24a4e880e15e73fa63621275565f33a0162efcaab750a33cc8e028868d679
Instruction Fuzzy Hash: FE8261B4B002198FCB59EBBE945036DA6D6BFCDB40B2148AED40ADB395EE30DC454BD1

Function 075C39A8 Relevance: 6.6, Strings: 5, Instructions: 301
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 075C3CC1
Hbq, xrefs: 075C3D08
Hbq, xrefs: 075C3C7A
Hbq, xrefs: 075C3C18
Hbq, xrefs: 075C3C49

Memory Dump Source

Source File: 00000000.00000002.1828208520.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: 10c6c88d7789b183efa8b4aaccb649c9109d1304c3d3e631592066bdb9883181
Instruction ID: e830641ba3daaecfac8f609beb3754fef8a962b6304043743b4324fde1bd2206
Opcode Fuzzy Hash: 10c6c88d7789b183efa8b4aaccb649c9109d1304c3d3e631592066bdb9883181
Instruction Fuzzy Hash: 82C18FB1A0025ACFCB15DFB5C4502EDFBB2BF85301F24C66ED446AB241DB789A85CB91

Function 05D0BE40 Relevance: 5.5, Strings: 4, Instructions: 496
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05D0C6A6
$^q, xrefs: 05D0C229
$^q, xrefs: 05D0C5D9
$^q, xrefs: 05D0C165

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 2784c0af392f8613bf43ef4d20250a7214ec15dc6de8548682b0b77b62a5b23c
Instruction ID: 3562d42998a7852fb08df43eeaec3db55b24e2412238fcb3e0a8ed092e7b704e
Opcode Fuzzy Hash: 2784c0af392f8613bf43ef4d20250a7214ec15dc6de8548682b0b77b62a5b23c
Instruction Fuzzy Hash: CD32B470E05228CFDB64DF65C894BEEBBB2BB49300F5095EAD409AB250DB319E85CF50

Function 075CD4C8 Relevance: 4.3, Strings: 3, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4|cq, xrefs: 075CDE6D
$^q, xrefs: 075CD6BD
$^q, xrefs: 075CDA67

Memory Dump Source

Source File: 00000000.00000002.1828208520.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID: 4|cq$$^q$$^q
API String ID: 0-2405269640
Opcode ID: 7902add288993562a1b3ff463000c8398250a30fbeef2df2dc34f30dae0777c7
Instruction ID: 0a0a9eff3724be9448561df29c8bdcf158b293f8f622d9f96cfbc03cfd347fe6
Opcode Fuzzy Hash: 7902add288993562a1b3ff463000c8398250a30fbeef2df2dc34f30dae0777c7
Instruction Fuzzy Hash: 94127BB1B002198FDB15DFBAC8547AEBBB6BF89200F14846EE509DB351DB349D468B90

Function 075C17D0 Relevance: 2.9, Strings: 2, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 075C1A50
1, xrefs: 075C1AD5

Memory Dump Source

Source File: 00000000.00000002.1828208520.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID: .$1
API String ID: 0-1839485796
Opcode ID: 0f55ef23a38f4507c4fc108c1f8a16d465a98aea5f2e60d1d2ba44671aa2e96a
Instruction ID: 3f1b148e898cae8c24eaaf4ed80c128ae26c3f70ca0860ffaf5ccc34d8b64d44
Opcode Fuzzy Hash: 0f55ef23a38f4507c4fc108c1f8a16d465a98aea5f2e60d1d2ba44671aa2e96a
Instruction Fuzzy Hash: 16F1EFB4E01229CFDB28DF65C884B9DBBB2BF8A301F1085A9D50AA7255DB315E85CF50

Function 05D0C910 Relevance: 2.7, Strings: 2, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 05D0CBF3
LR^q, xrefs: 05D0C9BA

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID: LR^q$PH^q
API String ID: 0-4173805542
Opcode ID: 48124b741b5e1dc53a92c28f983244cddefaed5541a49b881ee7a2ed65359bf9
Instruction ID: f2a1b516ce557478f0f6d89fc781b85a0b3c4a16972cde7e705650a8e28ad8c9
Opcode Fuzzy Hash: 48124b741b5e1dc53a92c28f983244cddefaed5541a49b881ee7a2ed65359bf9
Instruction Fuzzy Hash: DEA1D474E10218CFDB24DFA5C854BAEBBB2FF49301F1095AAD409AB2A4DB305D85CF51

Function 05D0E6C8 Relevance: 2.7, Strings: 2, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 05D0E82A
$^q, xrefs: 05D0E81A

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: fa1e40a5cd940165f47e9be672427587699dbc01fad2ee6ba736a730e107240a
Instruction ID: f72a3cb89e0fdfc24fc4c0bd3772725fdc132d1a5febf0a4d517dfd423688f96
Opcode Fuzzy Hash: fa1e40a5cd940165f47e9be672427587699dbc01fad2ee6ba736a730e107240a
Instruction Fuzzy Hash: 7F91C574E01218DFCB18DFA9D594A9DBBB2FF89301F60946AE409AB354DB359982CF00

Function 075C0040 Relevance: 2.6, APIs: 1, Instructions: 1088
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1828208520.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f227b6685846c1a73811dae637200216d27c86b68d0fcbfd57953317187ed2
Instruction ID: a935727c88424fcb4f6daf4d21cc29b7a374ec1ed526bbec383dde092c4d85dd
Opcode Fuzzy Hash: 01f227b6685846c1a73811dae637200216d27c86b68d0fcbfd57953317187ed2
Instruction Fuzzy Hash: B7C28F74A0122A8FCB65DF65D898B9DB7B2FB49301F1085EAD80DA7350DB34AE85CF41

Function 0573EFF8 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON

Download Yara Rule

Strings

,7bq, xrefs: 0573F637

Memory Dump Source

Source File: 00000000.00000002.1824753263.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5730000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID: ,7bq
API String ID: 0-2588767232
Opcode ID: 3f67ef902806d0f59da839d656b4b9ce748003fbbe29695f8fd9daeb7b3c03b0
Instruction ID: d7a30a7f6d23a0c19fef4b09c66bc273b339e648aea4e30e9ecce484ff52aa66
Opcode Fuzzy Hash: 3f67ef902806d0f59da839d656b4b9ce748003fbbe29695f8fd9daeb7b3c03b0
Instruction Fuzzy Hash: DF92C074B102059FDB149BB898A563E7AF7FFC8350F644469E806DB396DE74EC029B80

Function 05D06EC8 Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05D06F2D

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 666531faa1b010e7d7b09b36ac2cdafae7f5c03c476c123fa8e35e9c4443e84f
Instruction ID: e10875d995daead559ccb11ac9143095a5c1f5be02045cde3297b0dbbfb1839b
Opcode Fuzzy Hash: 666531faa1b010e7d7b09b36ac2cdafae7f5c03c476c123fa8e35e9c4443e84f
Instruction Fuzzy Hash: 1E219F74E01218DFCB08DFA9E484ADDBBB2FB89350F10A16AE415B7360DB309891CF54

Function 075C45B8 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1828208520.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7f56d05d3b2461d5c330cec87f813070d10d3f3c895a6d92b260c6e7a88964
Instruction ID: c5f97584da85da9e4b23a8ee5e7e5a5373d5f8dd590870d82072e80ea8084b26
Opcode Fuzzy Hash: ae7f56d05d3b2461d5c330cec87f813070d10d3f3c895a6d92b260c6e7a88964
Instruction Fuzzy Hash: DA8260B46002568FDB69CF68D454BAA7BB1FF44308F2041EDD80A9B7A2E7349C95CF91

Function 05D09550 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1ee5b8d77a1e1d775803bed3de446a52dec25f50916d39faae5b06d202c070
Instruction ID: 561675ecd47489fc3768b70980d52a21d93fe7be151c60bda580bd4c019af403
Opcode Fuzzy Hash: 5e1ee5b8d77a1e1d775803bed3de446a52dec25f50916d39faae5b06d202c070
Instruction Fuzzy Hash: 9942AF74E01229CFDB64DF65C894BEEBBB2BB49300F5095EAD40AA7290DB315E85CF41

Function 05D0B538 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f36cdaaaf5d2d3280721b512c1bca3815f57f093b0aeb13d5241569ae8aefe6
Instruction ID: c0d07909c095ac5b851baa808e07b74eb2337ab9bf2c3532381147cacbcac6a3
Opcode Fuzzy Hash: 1f36cdaaaf5d2d3280721b512c1bca3815f57f093b0aeb13d5241569ae8aefe6
Instruction Fuzzy Hash: B0228C74D042298FDB65DF69C894BEDBBB2BF89300F5095EAD449A7250EB309E85CF40

Function 05D0AB68 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db1837b73bb7fd5f1f7957242be5fe3a06ddb2a487f54767e5e68c4f1299ccb
Instruction ID: bbdde5ba1c0f3a83f3d4334d90f9ba1918cae1883dfe1e86dae2a0194ba1b91c
Opcode Fuzzy Hash: 2db1837b73bb7fd5f1f7957242be5fe3a06ddb2a487f54767e5e68c4f1299ccb
Instruction Fuzzy Hash: AA02C174A01229CFDB64DF64C894B9EBBB2BF49300F1095EAD409A7390DB35AE85CF51

Function 05D087A8 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff22cdfd70d1b5bf8a73e3b9581f546b19d5400954815b2a3459f8c19c5bba75
Instruction ID: 30a05323ab6563cd2e4ee8b13bb26476802b5936441633c4553b9921a481b81e
Opcode Fuzzy Hash: ff22cdfd70d1b5bf8a73e3b9581f546b19d5400954815b2a3459f8c19c5bba75
Instruction Fuzzy Hash: D1F19274E01229CFDB68DF65C850BAEBBB2BF89300F1085AAD509A7250DB315E86CF51

Function 057389E0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824753263.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5730000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a832d182b7bf4272212c6519d6c61e116971dfbf723e0a04a153a55bebb40f35
Instruction ID: bf340bbd6bee3aa4dbdf43027d0fa84db10949021085644f72cb8fc6008bb963
Opcode Fuzzy Hash: a832d182b7bf4272212c6519d6c61e116971dfbf723e0a04a153a55bebb40f35
Instruction Fuzzy Hash: E1D1E574910318CFDB18EFB4D854A9DBBB2FF8A301F1085AAE40AA7265DF315986CF51

Function 057389F0 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824753263.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5730000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b069c45d38791d147448dcc7f743fba61fa5ee3b4ac15497707aee238415ae
Instruction ID: f3b1042a028620246c5058391cf6c6b8dde663a4f497df16e339281a828e3df4
Opcode Fuzzy Hash: 00b069c45d38791d147448dcc7f743fba61fa5ee3b4ac15497707aee238415ae
Instruction Fuzzy Hash: AFD1E674910318CFDB18EFB4D854A9DBBB2FF8A301F10856AE40AA7265DF315986CF51

Function 05D07A30 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee2673793e4393055cbd28d7baadecfef8187a9199c873f74542917498f7048
Instruction ID: 91cca4178aeea6363ccff7f915027b92094adae579232440a1f28be27cac2747
Opcode Fuzzy Hash: 1ee2673793e4393055cbd28d7baadecfef8187a9199c873f74542917498f7048
Instruction Fuzzy Hash: 4BD18074E05218CFDB64DFA9C984B9DBBB2FF49301F1091AAD409AB355DB30A986CF50

Function 05D0A528 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dce7e81dfb6c60c75a7b5507e850e97998fbac06399d1782ac4e00c612f3eb3
Instruction ID: 502c4cce719663139f62911da1949e6ab35f308ec3000b8b00e23ddfa5578c33
Opcode Fuzzy Hash: 6dce7e81dfb6c60c75a7b5507e850e97998fbac06399d1782ac4e00c612f3eb3
Instruction Fuzzy Hash: 46D19F74E01218CFDB64DFA5D894B9DBBB2FF49301F5091AAD40AA7394DB309986CF11

Function 05D08DE8 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba84728fdebd3fc83595ab8828c01e8716ea7068e1efcf996df416bd3176c7bd
Instruction ID: 8c621b29592c75a1f077150f1b68ee22872fba36ebd621c909d8cd0dee4381a2
Opcode Fuzzy Hash: ba84728fdebd3fc83595ab8828c01e8716ea7068e1efcf996df416bd3176c7bd
Instruction Fuzzy Hash: 0BC1D770E01229CBDB68DF65C854BDEBBB2BF89300F1095EAD449B7290DB315A85CF51

Function 05D074D0 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e73885a33834ab5fe96332b21f64264938a141f26ee274b3931567f31d57a1f
Instruction ID: 24aee991f33e561be43b6ed933604d2a116876339b784b0aeccb3913438b2016
Opcode Fuzzy Hash: 7e73885a33834ab5fe96332b21f64264938a141f26ee274b3931567f31d57a1f
Instruction Fuzzy Hash: FAB1B474E01229CFDB64DF69C854B9DBBB2FF89300F5085AAD409AB351DB309985CF51

Function 05D08798 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd01ba2ed70be5feec565a6936a7b530eec791bf46356f3ca15722afee479504
Instruction ID: 4d553a529661ec839d819093e4576300e19d28c00827b4a39d9294017464bef3
Opcode Fuzzy Hash: fd01ba2ed70be5feec565a6936a7b530eec791bf46356f3ca15722afee479504
Instruction Fuzzy Hash: E0A1D774E01228DFDB64DFA5C850B9EBBB2BF89300F1081AAD90967395DB315E86CF51

Function 05D08DD7 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0590d22ed284b00af4c697c4cdef80eabb93d6c33b9f5ef1e75d312a2203a8
Instruction ID: b70658b05303eeedba3712f9262f50bf06c847599a3d2152c36ff485e39e585c
Opcode Fuzzy Hash: 0c0590d22ed284b00af4c697c4cdef80eabb93d6c33b9f5ef1e75d312a2203a8
Instruction Fuzzy Hash: 8991C771E012298BDB68DF69C8547DEBBB2BF89300F10C5EAD549AB290DB315A85CF50

Function 05D0ECE8 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ea9f3911e3ff49fa0d2b85549ce6ebee1fddd6bcdd1bcd5f7a010435962ecb
Instruction ID: 90f6f2bb8324ab33817c3284606c8f2757e8d0f451df29a071cf4a4fc4540c25
Opcode Fuzzy Hash: 54ea9f3911e3ff49fa0d2b85549ce6ebee1fddd6bcdd1bcd5f7a010435962ecb
Instruction Fuzzy Hash: A3911570D01219CFDB64DFA9C844B9DBBB6FF49300F1095AAD449A7351DB309A89CF41

Function 05D074C0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a08ff562fc74cc60445be20a6e2424aae637669e5ad0bf33bff44ca5ecd1058
Instruction ID: 57150c0bd9e1cfad2ff49c885c38c92a78c8fc451952b7c04e435b1c8d703188
Opcode Fuzzy Hash: 1a08ff562fc74cc60445be20a6e2424aae637669e5ad0bf33bff44ca5ecd1058
Instruction Fuzzy Hash: D031E671E016298BEB19CFA6C8547EEBBB3BF89300F14C16AC8186B255DB701986CF51

Function 017CAE30 Relevance: 1.7, APIs: 1, Instructions: 207COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017CB086

Memory Dump Source

Source File: 00000000.00000002.1819957036.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_pdusf6w2SJ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 020acebe91a2b43b8be0f20206a6348c981098d5d9e2a9c71ac31f760ae906cf
Instruction ID: 492c8f1b4c3c81ae65b41ed16c098190829a89573774da2369362c01556bc2b5
Opcode Fuzzy Hash: 020acebe91a2b43b8be0f20206a6348c981098d5d9e2a9c71ac31f760ae906cf
Instruction Fuzzy Hash: 308156B0A00B0A8FD724DF69D44575AFBF1FF48705F00892ED58A97A51EB35E846CB90

Function 05D06CF8 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D06E40

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 78f5d7f4521780bdc3a7a316b6418b170924f1c732d3cd813cd16c9d3abbe34a
Instruction ID: 73ca2b2382bda7388900941c3180f9ca5d9f13e6607b3e8b7950273826681cb3
Opcode Fuzzy Hash: 78f5d7f4521780bdc3a7a316b6418b170924f1c732d3cd813cd16c9d3abbe34a
Instruction Fuzzy Hash: 715191B4E052089FCB19DFAAD5946EDBBF2FB89300F10902AE415AB394DB349946CF51

Function 05D06CF7 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05D06E40

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4dd091a455230186555f3a579876a3cdd4da4752260fca2b1b26ccad2c0a20ee
Instruction ID: 1f3ad98a8d1b2deaa9a44c2bb28fa8fd950d3fea55e0a9b94fc3b55cfb463d50
Opcode Fuzzy Hash: 4dd091a455230186555f3a579876a3cdd4da4752260fca2b1b26ccad2c0a20ee
Instruction Fuzzy Hash: FB41A2B5E002189FCB19DFA5D5946EDBBF2FF88300F10902AE415AB354DB349946CF51

Function 017C5935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 017C59F1

Memory Dump Source

Source File: 00000000.00000002.1819957036.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_pdusf6w2SJ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9b8516168d8f4761ac4f86a3cdf51f71e2d1401a38865af6b2de6fa7723445c6
Instruction ID: 868bcd021cbf56df1af25e76d84972e4e856a28e1e15f236ecb9af30c69ad2d9
Opcode Fuzzy Hash: 9b8516168d8f4761ac4f86a3cdf51f71e2d1401a38865af6b2de6fa7723445c6
Instruction Fuzzy Hash: D041D2B0D00719CEDB24DFAAC884B9DBBB5FF49704F20805AD409AB251DB756985CF90

Function 05730BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05734381

Memory Dump Source

Source File: 00000000.00000002.1824753263.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5730000_pdusf6w2SJ.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a0f1b68779b48928dfc78656b8a3ad94a244acbd048ff12a6afdc3698cf8d55d
Instruction ID: ad65b086a0e7fe551d8f3417154ec8817d0188595ed2d94413ee5e187e868269
Opcode Fuzzy Hash: a0f1b68779b48928dfc78656b8a3ad94a244acbd048ff12a6afdc3698cf8d55d
Instruction Fuzzy Hash: 3B413AB4900309CFDB14DF99C489AAABBF6FF88324F24C459D519AB321D770A841CFA0

Function 017C4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 017C59F1

Memory Dump Source

Source File: 00000000.00000002.1819957036.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_pdusf6w2SJ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f8870b42aa4bd4c18a20b1063dff1911331eb49423c995f36b42d686a0638bf7
Instruction ID: 32d5aecb132e944c5f743d92adb07354ce5d5fecac770739a8f9ea6fd15f0241
Opcode Fuzzy Hash: f8870b42aa4bd4c18a20b1063dff1911331eb49423c995f36b42d686a0638bf7
Instruction Fuzzy Hash: C341CFB0D0071DCADB24DFAAC884B9DBBB5FF49714F20806AD409AB251DBB56985CF90

Function 017CC9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,017CD2C6,?,?,?,?,?), ref: 017CD387

Memory Dump Source

Source File: 00000000.00000002.1819957036.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_pdusf6w2SJ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 039e914956ea2dd951f4b180d273ae882372d72176dea268d0b41668b76bd775
Instruction ID: 09edeb0a69cdecfdd6c5cc70a9189efbbd6d0672b84287aec2b9a3c3c1578da6
Opcode Fuzzy Hash: 039e914956ea2dd951f4b180d273ae882372d72176dea268d0b41668b76bd775
Instruction Fuzzy Hash: 4A21E3B5900348DFDB10CF9AD984AEEFBF5EB48310F14846AE918A7350D374A954CFA4

Function 017CD2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,017CD2C6,?,?,?,?,?), ref: 017CD387

Memory Dump Source

Source File: 00000000.00000002.1819957036.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_pdusf6w2SJ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1a5ca78221fcdf29b73dddc325997ca4290d5ee25c52b02795741081b7daa29d
Instruction ID: 1416ba92084720c0d86add2c7ecb970f40247c4cf1235c8c1cacc3b8c195fba2
Opcode Fuzzy Hash: 1a5ca78221fcdf29b73dddc325997ca4290d5ee25c52b02795741081b7daa29d
Instruction Fuzzy Hash: 1621E0B5900209DFDB10CFA9D985AEEFBF5EB48310F14842AE918A3250C374A954CFA0

Function 075C6CE8 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,075C71DE), ref: 075C72E6

Memory Dump Source

Source File: 00000000.00000002.1828208520.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_pdusf6w2SJ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e2a55ddfb0ae5ff72b542932cf1cbc85893b1aa6f88727e0d4f97876476bc649
Instruction ID: 40510fc70e4601cb191966e5f7be666d40c86a379eafeb3f487614d21c99abf4
Opcode Fuzzy Hash: e2a55ddfb0ae5ff72b542932cf1cbc85893b1aa6f88727e0d4f97876476bc649
Instruction Fuzzy Hash: A61112B59003098FCB10DFAAC444BDEFBF5EB89310F14882AE419A7600D775A545CFA4

Function 075C727E Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E20,?,?,075C71DE), ref: 075C72E6

Memory Dump Source

Source File: 00000000.00000002.1828208520.00000000075C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75c0000_pdusf6w2SJ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5f83645b7c51edad0d61b3cab28bd17fb091d29e3d0fcac87e23434cfbaf4d15
Instruction ID: a5c32a672040587e7ac657d6d2361c66ab7306fbc7768f5a22c1a1aacbcd7e6c
Opcode Fuzzy Hash: 5f83645b7c51edad0d61b3cab28bd17fb091d29e3d0fcac87e23434cfbaf4d15
Instruction Fuzzy Hash: 751120B6C003098FCB10DFAAD844ADEFBF5EB88220F10882AD429A7600C775A545CFA1

Function 017CB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017CB086

Memory Dump Source

Source File: 00000000.00000002.1819957036.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_pdusf6w2SJ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f6e8c203e55673a1715f34d318f170d19052d100326dcd3e4d5d580535daf24d
Instruction ID: 24d5fb490267a7e37cc58c05b4a48287822a95d91632322e5f94d2492d2a2d8e
Opcode Fuzzy Hash: f6e8c203e55673a1715f34d318f170d19052d100326dcd3e4d5d580535daf24d
Instruction Fuzzy Hash: E9110FB5C003498FDB20DF9AC444A9EFBF4EB89720F10842ED829A7210C375A585CFA1

Function 05D05F58 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05D06C75

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c5b5ed917afec8b7d325c1f5e98188885729b1886d1654a20abdd985ee3b64d9
Instruction ID: ea63125a66f0652c0d9c2c6411e40c7cacce925325405ec4eba681f66dbbace7
Opcode Fuzzy Hash: c5b5ed917afec8b7d325c1f5e98188885729b1886d1654a20abdd985ee3b64d9
Instruction Fuzzy Hash: 0C1103B59043499FCB20DF9AD548B9EBFF8EB48324F20885AD519A7340C374A944CFA9

Function 05D06C19 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05D06C75

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d204e865db0657e430a19682b86befa1a41e6d44378c749f1cec7768e5593e65
Instruction ID: 0a9a89edee3957c11ec58e86cc187c00daceab301b1f9a64d7a91b28f3e2650e
Opcode Fuzzy Hash: d204e865db0657e430a19682b86befa1a41e6d44378c749f1cec7768e5593e65
Instruction Fuzzy Hash: CE1130B08003498FCB20DFAAD488B9EBFF8EB48324F20845AD558A7240C334A944CFA5

Function 0145D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819105043.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 781d4582b3dfd12e49130678287fc0d8f4571e9ccc1cfad6ed7634ced111ee93
Instruction ID: a8efc08e116a4425a59c439894bb2596bbe9ac1563c95c953e24e2c3a33b82c1
Opcode Fuzzy Hash: 781d4582b3dfd12e49130678287fc0d8f4571e9ccc1cfad6ed7634ced111ee93
Instruction Fuzzy Hash: 162102B1900200DFDB05DF48C9C0B66BF65FF94324F20C56ADD0A0A367C336E456CAA1

Function 0146D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819181137.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d361a2afa2ddf7bb407774e59667042992879f141babe38b8d62eb5ec1e5bf06
Instruction ID: 2e05523af351b18b05a73cb6a307c7077edcbb3891cce8b930e478e0f6ee112e
Opcode Fuzzy Hash: d361a2afa2ddf7bb407774e59667042992879f141babe38b8d62eb5ec1e5bf06
Instruction Fuzzy Hash: DD2103B5B04200DFCB15DF58D884B26BBA9EB8431CF24C56ED98A0B366C336D407CA62

Function 0146D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819181137.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_146d000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc628391ac70bb733ac51e5436853189af7491500a7504f580f806b2a3c5dc20
Instruction ID: cc575ef9dcbb5441ab1188f452d1b955aee5b83e858b518dd3f800b17a0df7bb
Opcode Fuzzy Hash: dc628391ac70bb733ac51e5436853189af7491500a7504f580f806b2a3c5dc20
Instruction Fuzzy Hash: 682180755093808FDB03CF24D594716BF71EB46218F28C5DBD8898B2A7C33A980ACB62

Function 0145D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819105043.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: b7ff6e40dc236a17bac5c435811d8594dd8fc189ccc09ce7406b727d40fcfaa3
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 7511CD76904240CFDB06CF44D9C4B56BF72FB84224F24C2AADD090A267C33AE45ACBA1

Function 0145DA09 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819105043.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f06dedb0455de76d376e57f997a0d4fb8576ad7dfcb95b0ab87ff28dd2475cd
Instruction ID: 9b07accdf42809158f5880d23e372c18f955fec9323efd9556cc7d1f0885b801
Opcode Fuzzy Hash: 2f06dedb0455de76d376e57f997a0d4fb8576ad7dfcb95b0ab87ff28dd2475cd
Instruction Fuzzy Hash: 5F01F27190D344DAE7608AAACC84B27BFD8DF51325F18C45BED090B2A7C2389C80CBB1

Function 0145DA08 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819105043.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_145d000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e8c7563779343b231c796069b1a45003d3ff8ca6d6497bf544a7283ebc346b
Instruction ID: ac5e3209138914393f15ecef11d439fb3b193510ba279b1f4a7f4170b2ecd255
Opcode Fuzzy Hash: 04e8c7563779343b231c796069b1a45003d3ff8ca6d6497bf544a7283ebc346b
Instruction Fuzzy Hash: 66F0C272808344DAE7618A4ADC84B63FFD8EF41734F18C05BED080B297C279A880CAB0

Non-executed Functions

Function 05D02190 Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

$^q, xrefs: 05D02283
$^q, xrefs: 05D02341

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: b93db039a599428c77aa703fca73c409c20fc4aaed436b003ad0b4ba23f605ff
Instruction ID: 964132ebc74bdc76d0a1a6c2241d5f483d15a5fd1cace4405267cfde51619228
Opcode Fuzzy Hash: b93db039a599428c77aa703fca73c409c20fc4aaed436b003ad0b4ba23f605ff
Instruction Fuzzy Hash: C561C274E012189FDB04DFA9C884ADDBBB2FF89300F64902AD509BB365DB30A846CF50

Function 05D0D280 Relevance: 1.8, Strings: 1, Instructions: 528COMMON

Download Yara Rule

Strings

0oAp, xrefs: 05D0D6B7

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID: 0oAp
API String ID: 0-730047704
Opcode ID: f81364df4cd6c9f974f5a9b97414334939a52768ae6238293744675c984f2397
Instruction ID: 3f877735f76cf8fb0c3648cdee184a8eb959bee96b6dfc4bfc04a2851899e9e0
Opcode Fuzzy Hash: f81364df4cd6c9f974f5a9b97414334939a52768ae6238293744675c984f2397
Instruction Fuzzy Hash: D4429E74A012288FDB64DF65C894BEDBBB2BF49300F1085EAD409AB260DB349E85CF50

Function 05D003A0 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15629ea0d0dd88f8748cf0cdbbaa615ebb959d1442e200891a94e025f9e4c75
Instruction ID: 695844053ced718c8ba3650a8b23c4310d8726fb49f3b2eaa8c2e6d86c2ee986
Opcode Fuzzy Hash: f15629ea0d0dd88f8748cf0cdbbaa615ebb959d1442e200891a94e025f9e4c75
Instruction Fuzzy Hash: E9E15EB4F003199BDB04DFB9C895BAEBBB2EFA8701F50881AD509A7354CE395C42DB51

Function 05D003B0 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c125078d156e2f04bb61d440b747899547ec93007a661d7b4f515cfd0fb6869d
Instruction ID: 6d794e8e66df0d49db4334dea39dc46d72b8d96b33f667c6f55ba24752630ace
Opcode Fuzzy Hash: c125078d156e2f04bb61d440b747899547ec93007a661d7b4f515cfd0fb6869d
Instruction Fuzzy Hash: 0BE15EB4F003199BDB04DFB9C895BAEBBB2EFA8701F50881AD509A7354CE395C42DB51

Function 05730040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824753263.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5730000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5313519d38a7e0c1f9ab19879c08400fdeb9ba535141558ca5ccf795fb3d04b9
Instruction ID: be93312da07adbaa5f2c20714d77195ae8912d0c081bce68e4d2e7ed8a08817d
Opcode Fuzzy Hash: 5313519d38a7e0c1f9ab19879c08400fdeb9ba535141558ca5ccf795fb3d04b9
Instruction Fuzzy Hash: 3412B6F4421749BBD310CF25E84E1A97FB2BB61318B506309EA622B2E1DFB4154ACF49

Function 05D05118 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee2afb115a88b70f9b1fbd8c4029c84a86e0bf1a66a104a135faf00db83b735
Instruction ID: 975402bdb75efc7ac872a478f0a11ffb653969c97e521f132df43fc8c9a3bd6c
Opcode Fuzzy Hash: cee2afb115a88b70f9b1fbd8c4029c84a86e0bf1a66a104a135faf00db83b735
Instruction Fuzzy Hash: 88B14D70E042099FDF14CFA9E8857EDBBF2BF88304F14952AD815A7294EB749846CF91

Function 05D059E8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada0613329837c8010bce08a5c80e743cdc3fb73598e49a5e6a7a1a410590788
Instruction ID: ccdb96048f1c9349a8bf933e0c24b3aa1f72c2b94078cfcda603939e495f7714
Opcode Fuzzy Hash: ada0613329837c8010bce08a5c80e743cdc3fb73598e49a5e6a7a1a410590788
Instruction Fuzzy Hash: 7DB18E70E002198FDF10DFA9E8857ADBBF2BF89314F14912AD815E7294EB74A845CF81

Function 017CDC74 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819957036.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeaa14fc7f7aab55ba135c855f04bd55cfce27536bda1853b4614871852a5e4a
Instruction ID: eddcacdcd60217b9cbc3616e8d7ef160bfe80640a0e92773b3465fa23866a2dc
Opcode Fuzzy Hash: eeaa14fc7f7aab55ba135c855f04bd55cfce27536bda1853b4614871852a5e4a
Instruction Fuzzy Hash: 5BA14B32E0021A9FCF15DFB9C8445AEFBB3BF84700B15856EE905AB265DB71E945CB80

Function 05D04DD0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c441b0bd9474a30fabbd418e1e3ff82fad4a6b9ea7ec0acb32de67bb216db5f
Instruction ID: df7092415213be41ece717f9068fb90dacc6a6364352bc76d01333afb5fe72de
Opcode Fuzzy Hash: 9c441b0bd9474a30fabbd418e1e3ff82fad4a6b9ea7ec0acb32de67bb216db5f
Instruction Fuzzy Hash: F3915F70E042099FDF14CFA9D985B9EBBF2FF88314F14952AE805A7294DB749885CF81

Function 0573001B Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1824753263.0000000005730000.00000040.00000800.00020000.00000000.sdmp, Offset: 05730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5730000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d619af6dbfa9f4ac1c9a270d943fb560d3949e8ec79ca0b8b4d493049babb51
Instruction ID: da72e10086b48d6d95b3190c3d17715058f913c5de3dca6fcee1f1fdeb340cb8
Opcode Fuzzy Hash: 6d619af6dbfa9f4ac1c9a270d943fb560d3949e8ec79ca0b8b4d493049babb51
Instruction Fuzzy Hash: 59C12DB442174ABFD310CF25E84A1A97FB2FBA5314F506309E5626B2E1DFB4144ACF49

Function 05D0BE3D Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33921abc8cb51a53d0e5b84e1115bf1d98e485ee0334703d556529a95d3775d6
Instruction ID: 27cf3ac245b8aca35eaf727f7f63a875bec01810a7188cc7aaded4b0192520b4
Opcode Fuzzy Hash: 33921abc8cb51a53d0e5b84e1115bf1d98e485ee0334703d556529a95d3775d6
Instruction Fuzzy Hash: D651C974E05218CFDB58DF6AC95079EBBB2BF88300F14D1AAD409A7265DB305E86CF51

Function 05D0A518 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78c3110b50d5f6de12aff82cf2a57e56f61294bd0f387b36783824009930639
Instruction ID: 6175abb99171c0eaee5fd21f125e5f7f0cda9dc2acd76353caa3341ead07263e
Opcode Fuzzy Hash: e78c3110b50d5f6de12aff82cf2a57e56f61294bd0f387b36783824009930639
Instruction Fuzzy Hash: 6B31F671E04349CBDB28CFAAD80469DFBF2BF89300F14D02AD419AB264DB701946CF51

Function 05D07A20 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390006ea705734f17a3ca81bade7437bb1c3140c84bb8999768feab66d00553c
Instruction ID: e1c47d2a77cde96d47950dbd735b0dcf8bf7c704a4b1f6e9bf54a4ac82828760
Opcode Fuzzy Hash: 390006ea705734f17a3ca81bade7437bb1c3140c84bb8999768feab66d00553c
Instruction Fuzzy Hash: 8531A2B5E056598BDB18CFAB98406DEFBF7EFC9300F14D12AC418AB255EB305906CB50

Function 017C25D8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1819957036.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17c0000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d615f3b0a08f919ca1f6ed901c281ed112d40320f2bb281ae0f5496e118960
Instruction ID: 1fb2b20fa2da93d272582d94ed16be965badee98647f59f1ee8710c14d0d84d1
Opcode Fuzzy Hash: 24d615f3b0a08f919ca1f6ed901c281ed112d40320f2bb281ae0f5496e118960
Instruction Fuzzy Hash: 3D21266A6183938FE307FA38C8D61867BA6E776245F05188BC140DE4E3E14DC615E74E

Function 05D09E3B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826525310.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d00000_pdusf6w2SJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be723d04bf38063f0756bd8280a7ea7f4595e309e9209842f97fd666c4b9ce24
Instruction ID: 45ef7b2af645729f4afa787f6d928d6c7483e8e06715e42bfcbf8f5ec7c9b41e
Opcode Fuzzy Hash: be723d04bf38063f0756bd8280a7ea7f4595e309e9209842f97fd666c4b9ce24
Instruction Fuzzy Hash: 69E09230C4B10EDADB10CF91C425BBFF671AB41205F60B4479849732C2CB708A458F56

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pdusf6w2SJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pdusf6w2SJ.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
pdusf6w2SJ.exe

Function 075CD020 Relevance: 17.9, Strings: 14, Instructions: 390
COMMON

Function 075C39A8 Relevance: 6.6, Strings: 5, Instructions: 301
COMMON

Function 05D0BE40 Relevance: 5.5, Strings: 4, Instructions: 496
COMMON

Function 075CD4C8 Relevance: 4.3, Strings: 3, Instructions: 546
COMMON

Function 075C17D0 Relevance: 2.9, Strings: 2, Instructions: 364
COMMON

Function 05D0C910 Relevance: 2.7, Strings: 2, Instructions: 219
COMMON

Function 05D0E6C8 Relevance: 2.7, Strings: 2, Instructions: 203
COMMON

Function 075C0040 Relevance: 2.6, APIs: 1, Instructions: 1088
COMMON