Edit tour

Windows Analysis Report
7xweUz2MYa.exe

Overview

General Information

Sample name:	7xweUz2MYa.exe renamed because original name is a hash value
Original sample name:	cad51c2ccdea145e70b041891e511917.exe
Analysis ID:	1570928
MD5:	cad51c2ccdea145e70b041891e511917
SHA1:	5e6b288348a790a91a27c434ee1eaebadacbe12c
SHA256:	55c0166f790956e3be24cd3ee78c69ebab031ed62bfbda058b3a653c1a75b518
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

Meduza Stealer, PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Meduza Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

7xweUz2MYa.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\7xweUz2MYa.exe" MD5: CAD51C2CCDEA145E70B041891E511917)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": ["66.63.187.209:6677"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
7xweUz2MYa.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
7xweUz2MYa.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7xweUz2MYa.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7xweUz2MYa.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c17:$s1: file:/// 0x45b4f:$s2: {11111-22222-10009-11112} 0x45ba7:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c29:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000000.1651651890.0000000000B92000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000000.1651651890.0000000000B92000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 7xweUz2MYa.exe PID: 7344	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: 7xweUz2MYa.exe PID: 7344	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 7xweUz2MYa.exe PID: 7344	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.7xweUz2MYa.exe.b90000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.7xweUz2MYa.exe.b90000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.7xweUz2MYa.exe.b90000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.0.7xweUz2MYa.exe.b90000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c17:$s1: file:/// 0x45b4f:$s2: {11111-22222-10009-11112} 0x45ba7:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c29:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-08T12:47:04.083217+0100	2046056	1	A Network Trojan was detected	66.63.187.209	6677	192.168.2.4	49730	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-08T12:47:03.154394+0100	2046045	1	A Network Trojan was detected	192.168.2.4	49730	66.63.187.209	6677	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7xweUz2MYa.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": ["66.63.187.209:6677"]}

Multi AV Scanner detection for submitted file

Source: 7xweUz2MYa.exe	ReversingLabs: Detection: 63%
Source: 7xweUz2MYa.exe	Virustotal: Detection: 56%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 7xweUz2MYa.exe

Joe Sandbox ML: detected

Source: 7xweUz2MYa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7xweUz2MYa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49730 -> 66.63.187.209:6677
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 66.63.187.209:6677 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 66.63.187.209:6677

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 66.63.187.209:6677

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.209

Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: 7xweUz2MYa.exe, 00000000.00000002.1750168764.000000001BEFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.000000000338B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1Response
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2Response
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3Response
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.00000000035D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 7xweUz2MYa.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.7xweUz2MYa.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 7xweUz2MYa.exe, Strings.cs

Large array initialization: Strings: array initializer size 6160

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9B96C4CA	0_2_00007FFD9B96C4CA
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9B9616B3	0_2_00007FFD9B9616B3
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAC2335	0_2_00007FFD9BAC2335
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BACF869	0_2_00007FFD9BACF869
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BACB7D1	0_2_00007FFD9BACB7D1
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAC879E	0_2_00007FFD9BAC879E
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAC168D	0_2_00007FFD9BAC168D
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAC8ED1	0_2_00007FFD9BAC8ED1
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BABDDF9	0_2_00007FFD9BABDDF9
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAC9C18	0_2_00007FFD9BAC9C18
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAB8BE9	0_2_00007FFD9BAB8BE9
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BABE8DB	0_2_00007FFD9BABE8DB
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAC9683	0_2_00007FFD9BAC9683

Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 7xweUz2MYa.exe
Source: 7xweUz2MYa.exe, 00000000.00000000.1651651890.0000000000C1E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGristles.exe" vs 7xweUz2MYa.exe
Source: 7xweUz2MYa.exe	Binary or memory string: OriginalFilenameGristles.exe" vs 7xweUz2MYa.exe

Source: 7xweUz2MYa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7xweUz2MYa.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.7xweUz2MYa.exe.b90000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 7xweUz2MYa.exe, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7xweUz2MYa.exe, Class4.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7xweUz2MYa.exe, Class4.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

File created: C:\Users\user\AppData\Local\Microsoft\Wind?ws

Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

Mutant created: NULL

Source: 7xweUz2MYa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 7xweUz2MYa.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7xweUz2MYa.exe	ReversingLabs: Detection: 63%
Source: 7xweUz2MYa.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 7xweUz2MYa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 7xweUz2MYa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 7xweUz2MYa.exe, Class4.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: 7xweUz2MYa.exe

Static PE information: 0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9B8963EE push ss; retf	0_2_00007FFD9B8963EF
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9B895CB0 push edi; iretd	0_2_00007FFD9B895CB6
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9B962004 pushad ; retf	0_2_00007FFD9B962005
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAB5A79 push esp; retf 5F2Bh	0_2_00007FFD9BAB5AD9
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BABDDF9 push esi; retf 5B05h	0_2_00007FFD9BAC0777
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAB638E push ecx; iretd	0_2_00007FFD9BAB639A
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAC8112 push eax; ret	0_2_00007FFD9BAC8121
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAC8158 push ebx; ret	0_2_00007FFD9BAC816A
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAC8148 push ebx; ret	0_2_00007FFD9BAC816A
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAB0664 push ecx; iretd	0_2_00007FFD9BAB0665
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAB06C8 push ecx; iretd	0_2_00007FFD9BAB06C9
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAB761F push ecx; iretd	0_2_00007FFD9BAB7620
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Code function: 0_2_00007FFD9BAB64E2 push ecx; iretd	0_2_00007FFD9BAB64E8

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: \QEMU-GA.EXE

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Memory allocated: 1270000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Memory allocated: 1ADF0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Window / User API: threadDelayed 2362			Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Window / User API: threadDelayed 3453			Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe TID: 7528	Thread sleep time: -20291418481080494s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe TID: 7364	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\	Jump to behavior

Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: 7xweUz2MYa.exe, 00000000.00000002.1750168764.000000001BEC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Queries volume information: C:\Users\user\Desktop\7xweUz2MYa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: 7xweUz2MYa.exe PID: 7344, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7xweUz2MYa.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7xweUz2MYa.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1651651890.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7xweUz2MYa.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7xweUz2MYa.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1651651890.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7xweUz2MYa.exe PID: 7344, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 7xweUz2MYa.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7xweUz2MYa.exe.b90000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCash
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: 7xweUz2MYa.exe, 00000000.00000000.1651651890.0000000000B92000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\7xweUz2MYa.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior

Source: Yara match	File source: 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7xweUz2MYa.exe PID: 7344, type: MEMORYSTR

Remote Access Functionality

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: 7xweUz2MYa.exe PID: 7344, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7xweUz2MYa.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7xweUz2MYa.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1651651890.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7xweUz2MYa.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7xweUz2MYa.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1651651890.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7xweUz2MYa.exe PID: 7344, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 7xweUz2MYa.exe, type: SAMPLE
Source: Yara match	File source: 0.0.7xweUz2MYa.exe.b90000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	321 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7xweUz2MYa.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
7xweUz2MYa.exe	57%	Virustotal		Browse
7xweUz2MYa.exe	100%	Avira	TR/AD.RedLineSteal.zieqc
7xweUz2MYa.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
66.63.187.209:6677	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
66.63.187.209:6677	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com/api/v9/users/	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field1Response	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ip.sb/ip	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/sc	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.w3.oh	7xweUz2MYa.exe, 00000000.00000002.1741286863.00000000035D7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field1	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/envelope/	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field2	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field3	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/06/addressingex	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field3Response	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012FBC000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000012E2F000.00000004.00000800.00020000.00000000.sdmp, 7xweUz2MYa.exe, 00000000.00000002.1746614794.0000000013015000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2002/12/policy	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext	7xweUz2MYa.exe, 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.63.187.209	unknown	United States		8100	ASN-QUADRANET-GLOBALUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570928
Start date and time:	2024-12-08 12:46:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7xweUz2MYa.exe renamed because original name is a hash value
Original Sample Name:	cad51c2ccdea145e70b041891e511917.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:47:05	API Interceptor	28x Sleep call for process: 7xweUz2MYa.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	.main.elf	Get hash	malicious	Xmrig	Browse	66.63.187.200
	jew.arm6.elf	Get hash	malicious	Unknown	Browse	173.205.82.66
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	154.205.102.60
	bcUcEm7AqP.exe	Get hash	malicious	AsyncRAT	Browse	69.174.100.131
	ET5.exe	Get hash	malicious	Unknown	Browse	45.61.165.224
	na.elf	Get hash	malicious	Unknown	Browse	194.146.117.28
	BQ_PO#385995.exe	Get hash	malicious	RedLine, Snake Keylogger, VIP Keylogger, XWorm	Browse	69.174.100.131
	Vwf30y6XRO.exe	Get hash	malicious	Crimson	Browse	104.223.106.8
	Vwf30y6XRO.exe	Get hash	malicious	Crimson	Browse	104.223.106.8
	SujNUVdm7o.exe	Get hash	malicious	GuLoader	Browse	72.11.142.133

Process:	C:\Users\user\Desktop\7xweUz2MYa.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2611
Entropy (8bit):	5.363358188931451
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkafHKWA1eXrHKlT48BHK7HKmTHlHNW:iq+wmj0qCYqGSI6oPtzHeqKkGqhA7qZR
MD5:	CEA017D10C4D437981D19F21660A47FA
SHA1:	61AAFCECB5325DE172857CEF7C7E1F230F73AFFD
SHA-256:	60B099420455DECD1878FE84F217CFE478BA0BA5E6E574077150D08355A1DD96
SHA-512:	413384BF9D2EDC9BC2DF6D5175D09A33B91CCF9C53FE3CB21892CB57AF4FD8A9BE0608E9BCA57AF4A7F2709A4C110148719DA3210460DF433CFD77FA753B9CF8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.180175549203464
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	7xweUz2MYa.exe
File size:	743'424 bytes
MD5:	cad51c2ccdea145e70b041891e511917
SHA1:	5e6b288348a790a91a27c434ee1eaebadacbe12c
SHA256:	55c0166f790956e3be24cd3ee78c69ebab031ed62bfbda058b3a653c1a75b518
SHA512:	cb498dcf9b526c91547f4e1baa5a3c9bd1655a1c30661058e40aaa8e28b91aa0a335fc08cfd30617bd4c64a922cf7adf917cea3a5da6cedf82291bee1e7dc25d
SSDEEP:	12288:6D6YDzqx5XBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4QiAzojgJI:6D6Y3qx51NbXA
TLSH:	0DF4701C5BBC058CEC8CD531BE20C9326EA04E08919FCB49A569FA151EB6277B3F5BD1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	0e9696961617e982

Static PE Info

General

Entrypoint:	0x44d0ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4d098	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x6a022	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4b0f4	0x4b200	c631acac73230187a1fde9c6e846657d	False	0.4180239964642263	data	6.528645095641414	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4e000	0x6a022	0x6a200	65e4195d76e2641b30f5c060426a53b1	False	0.04090059997055359	data	3.4733020781588206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	3a13fecd19ca9773d82cc3855bc1b8eb	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4e2b0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	0.019047548598988075
RT_ICON	0x902d8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.03903939429788241
RT_ICON	0xa0b00	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.0580460374185411
RT_ICON	0xa9fa8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.08243992606284659
RT_ICON	0xaf430	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.0987836561171469
RT_ICON	0xb3658	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.14284232365145227
RT_ICON	0xb5c00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.22537523452157598
RT_ICON	0xb6ca8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.30901639344262294
RT_ICON	0xb7630	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.4530141843971631
RT_GROUP_ICON	0xb7a98	0x84	data	0.7196969696969697
RT_VERSION	0xb7b1c	0x31c	data	0.4535175879396985
RT_MANIFEST	0xb7e38	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-08T12:47:03.154394+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.4	49730	66.63.187.209	6677	TCP
2024-12-08T12:47:04.083217+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	66.63.187.209	6677	192.168.2.4	49730	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 8, 2024 12:47:01.586350918 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:01.705884933 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:01.706087112 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:01.713340044 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:01.832766056 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:03.084048033 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:03.124361038 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:03.154393911 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:03.276129961 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:03.614435911 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:03.621504068 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:03.740856886 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.083070993 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.083087921 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.083097935 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.083214998 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:04.083216906 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.083251953 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.083266973 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.083270073 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:04.083276987 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.083308935 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:04.083530903 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.083574057 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:04.091398001 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.091481924 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.091521978 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:04.099785089 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.099853992 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.099903107 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:04.274957895 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.275043964 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.275119066 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:04.278918028 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.279026985 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.279083967 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:04.394503117 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.394515038 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:04.394577026 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.479460001 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.598975897 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.599001884 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.599010944 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.599050999 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.599067926 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.599102020 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.599109888 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.599138975 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.599174023 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.599181890 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.599189997 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.599231005 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.599239111 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.599266052 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.599319935 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.718449116 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.718506098 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.718534946 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.718537092 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.718554020 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.718568087 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.718650103 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.718657970 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.718687057 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.718687057 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.718708038 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.718750954 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.718779087 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.718805075 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.718833923 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.718871117 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.718883991 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.718934059 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.718950987 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.718975067 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.719002962 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.719022989 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.719042063 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.719126940 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.837865114 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.837889910 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.837951899 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.837994099 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838064909 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838090897 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838114977 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838145971 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838223934 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838253975 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838291883 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838303089 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838368893 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838396072 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838532925 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838542938 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838560104 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838596106 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838598013 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838604927 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838634014 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838663101 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838690042 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838725090 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838752985 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838782072 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838790894 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838823080 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838862896 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838871956 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838903904 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.838934898 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.838944912 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.839051008 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.839056015 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.839060068 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.839102030 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.839127064 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.839195013 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.839221001 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.839229107 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.839327097 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.839337111 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.839348078 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.839410067 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.957484007 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.957510948 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.957598925 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.957607985 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.957643986 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.957650900 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.957659006 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.957674026 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.957762957 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.957803965 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.957812071 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.957866907 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.957959890 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.957967997 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.957997084 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958025932 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.958050966 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958174944 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958187103 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958307981 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958316088 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958372116 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958379984 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958482027 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958488941 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958565950 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958573103 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958605051 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958631039 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958704948 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958806038 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958813906 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958822012 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958918095 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958925962 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.958969116 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959032059 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959081888 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959089994 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959136963 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959177017 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959264994 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959300995 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959309101 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959342003 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959376097 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959428072 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959517956 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959526062 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959556103 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.959569931 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959580898 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959588051 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959619999 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:07.959640980 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959650040 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959656954 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959665060 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959728003 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959737062 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959764004 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959772110 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959836960 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959846020 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959878922 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959894896 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959975958 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.959985018 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.960019112 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.960028887 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.960114956 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.960124969 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.960199118 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.960207939 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.960254908 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.960293055 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:07.960331917 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077049971 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077064991 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077081919 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077090979 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077208042 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077217102 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077325106 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077333927 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077491045 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077533007 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077636957 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077666044 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077765942 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077780962 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077805996 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077815056 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077830076 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077837944 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077940941 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.077955008 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.078170061 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.078804016 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.078936100 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.078999996 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079005957 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.079009056 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079087973 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079097033 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079190016 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079197884 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079222918 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079235077 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079339027 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079346895 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079451084 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079458952 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079586029 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079592943 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079617023 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079660892 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079727888 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079735994 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079770088 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079807043 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079859018 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.079886913 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080027103 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080034971 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080049038 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080056906 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080087900 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080154896 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080163002 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080190897 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080226898 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080324888 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080332994 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080352068 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080365896 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080405951 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080420017 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080598116 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080641031 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080688953 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080739975 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080748081 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080854893 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080863953 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080871105 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080910921 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080919027 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080926895 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080934048 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080944061 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080950975 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.080957890 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.081052065 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.081377983 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.081442118 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.198394060 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.198410988 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.198430061 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.198440075 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.198573112 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.198581934 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.198631048 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.198678017 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.198824883 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.198833942 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.198961973 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.198971033 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199089050 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199114084 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199227095 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199249983 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199407101 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199415922 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199547052 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199556112 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199594021 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199603081 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199651003 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199660063 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199762106 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199846983 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199856997 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199865103 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199908972 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199918032 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199954987 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.199997902 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200045109 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200053930 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200153112 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200161934 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200217962 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200227022 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200268984 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200285912 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200333118 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200427055 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200436115 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200542927 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200551987 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200560093 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200647116 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200655937 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200666904 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200671911 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200776100 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200786114 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200829983 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200839996 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200858116 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200871944 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200911999 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.200922012 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201035023 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201044083 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201098919 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201116085 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201138020 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.201221943 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.201225996 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201242924 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201281071 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201359034 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201378107 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201412916 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201430082 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201478958 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201494932 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201607943 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201617002 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201747894 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201759100 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201802015 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201812983 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201875925 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201884985 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.201945066 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202034950 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202044964 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202085018 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202095032 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202109098 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202205896 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202214956 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202281952 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202291965 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202372074 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202380896 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202457905 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202476025 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202543974 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202553034 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202603102 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202652931 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202734947 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202754974 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202795029 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202805042 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202939987 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202949047 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202958107 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.202966928 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.203037977 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.203047037 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.203335047 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.203661919 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.203731060 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.320647955 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.320660114 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.320741892 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.320883989 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.320972919 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.320991039 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321121931 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321130991 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321163893 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321223021 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321270943 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321307898 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321405888 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321414948 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321521044 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321530104 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321597099 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321605921 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321702003 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321711063 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321738005 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321774960 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321815968 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321857929 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321909904 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321937084 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321945906 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.321996927 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322010994 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322086096 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322094917 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322151899 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322160959 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322225094 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322232962 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322300911 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322324991 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322384119 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322400093 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322535992 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322546005 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322627068 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322634935 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322678089 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322686911 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322766066 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322774887 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322809935 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322819948 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322932005 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.322942019 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323035002 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323050976 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323177099 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323187113 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323244095 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323254108 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323295116 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323317051 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323416948 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323450089 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323467016 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.323503017 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323537111 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.323549032 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323597908 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323684931 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323797941 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323807955 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323847055 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323873043 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323932886 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.323992968 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324059010 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324068069 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324112892 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324153900 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324294090 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324302912 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324316978 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324376106 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324445009 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324520111 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324533939 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324544907 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324635983 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324645996 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324702978 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324712992 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324790955 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324800968 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324883938 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324892998 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324939013 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.324948072 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325047016 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325056076 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325166941 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325176001 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325210094 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325285912 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325294971 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325395107 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325403929 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325412989 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325463057 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325473070 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325480938 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325489998 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325583935 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.325815916 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.325880051 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.442929029 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.442950010 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.442987919 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443054914 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443160057 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443166971 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443237066 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443253040 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443382978 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443450928 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443584919 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443614960 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443702936 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443752050 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443836927 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443866968 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.443923950 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444030046 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444039106 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444094896 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444103003 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444106102 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444117069 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444125891 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444235086 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444242954 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444314003 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444329023 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444442987 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444452047 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444488049 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444554090 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444652081 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444659948 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444684029 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444700956 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444781065 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444788933 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444888115 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444895983 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444909096 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444916010 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444947004 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.444983006 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445034981 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445121050 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445204973 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445213079 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445401907 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445410013 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445492983 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445508003 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445662975 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445671082 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445677996 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445768118 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445848942 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445950985 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445957899 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.445970058 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.445995092 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446052074 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.446079016 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446124077 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446166039 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446295977 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446346998 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446441889 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446480989 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446599960 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446810007 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446824074 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446850061 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446944952 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.446983099 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447077990 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447084904 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447124958 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447243929 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447298050 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447416067 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447496891 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447544098 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447591066 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447633982 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447643042 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.447762966 CET	49730	6677	192.168.2.4	66.63.187.209
Dec 8, 2024 12:47:08.569461107 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.569523096 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.569593906 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.569725037 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.569802999 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.569885969 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.569971085 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.570039988 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.570169926 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.570236921 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.570422888 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.570569038 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.570609093 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.570672035 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.570774078 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.570826054 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.570878029 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.570967913 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.571093082 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.571110010 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.571167946 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.571252108 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.571297884 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.571362019 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.571418047 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.571507931 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.571614027 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.571644068 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:08.571785927 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:09.437051058 CET	6677	49730	66.63.187.209	192.168.2.4
Dec 8, 2024 12:47:09.458596945 CET	49730	6677	192.168.2.4	66.63.187.209

Target ID:	0
Start time:	06:46:59
Start date:	08/12/2024
Path:	C:\Users\user\Desktop\7xweUz2MYa.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\7xweUz2MYa.exe"
Imagebase:	0xb90000
File size:	743'424 bytes
MD5 hash:	CAD51C2CCDEA145E70B041891E511917
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1741286863.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1651651890.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1651651890.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1741286863.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	45.5%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFD9BABDDF9 Relevance: 3.1, Instructions: 3068
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8982d4309e4b9022ea9b615e440a6feaa86953c195dc07875be194ac2c784bd7
Instruction ID: f1f2cd1a68132e0693cb88c7139a38fc9c43abd85a76c73b328057d3f66dd97c
Opcode Fuzzy Hash: 8982d4309e4b9022ea9b615e440a6feaa86953c195dc07875be194ac2c784bd7
Instruction Fuzzy Hash: 2143BC70E1992D8FDFA8DB18C895BA9B7B1FB68301F5141EA900DE3291DE756E81CF40

Function 00007FFD9BACF869 Relevance: 2.4, APIs: 1, Instructions: 859
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f39f5e3e15356d2dfe727c723b5b5e31d1c80a9bd286f23b6aff6082fc1886
Instruction ID: d2fa2eaeb59b2994cc59c470c964d97c0113232e80f87afe1795a99e7021f2b0
Opcode Fuzzy Hash: 49f39f5e3e15356d2dfe727c723b5b5e31d1c80a9bd286f23b6aff6082fc1886
Instruction Fuzzy Hash: FE420430B0DA4D4FDB68EB68D4616B5B7E1EF99310F15017ED04AC72A2DB66F8468780

Function 00007FFD9BAB8BE9 Relevance: 2.2, Strings: 1, Instructions: 996
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@B/, xrefs: 00007FFD9BAB8F11

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID: @B/
API String ID: 0-3863299084
Opcode ID: d148fa9cfb2eebabae4477a7ca06137833f2e480ccf6ed35a55e0f7444ed3e5d
Instruction ID: f8efd2f9e77359030b89827a5c5437cc963d9640eaf8611fc2219f53d5ddff91
Opcode Fuzzy Hash: d148fa9cfb2eebabae4477a7ca06137833f2e480ccf6ed35a55e0f7444ed3e5d
Instruction Fuzzy Hash: 2582FF70E1962D8FDBA9DB58C8A9BE8B7B1FF58300F5101E9D01DD32A1DA756A81CF40

Function 00007FFD9B96C4CA Relevance: 2.0, Strings: 1, Instructions: 766
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ZK_H, xrefs: 00007FFD9B96C9CF

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID: ZK_H
API String ID: 0-3156204226
Opcode ID: 884a9634bd97d9405cbdb3acbe7a59cfe166f7f34122e05eafd5646c36448926
Instruction ID: 694a9d74605db5a21da3251600647f49c6e7716e621cdbb7fe4db6d07f177f47
Opcode Fuzzy Hash: 884a9634bd97d9405cbdb3acbe7a59cfe166f7f34122e05eafd5646c36448926
Instruction Fuzzy Hash: 23220571B1EA4D4FE7A8EB2C84A562877E1FFA9700B0501BEE45EC72B7DD25AC418341

Function 00007FFD9BAC168D Relevance: 1.1, Instructions: 1114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae82d7df35dd9a4a71d7a9583f704df13c9c7638d8ef574f1d0b7001a534aab
Instruction ID: 637751149ab0e2ce2790d365f3e39c014268571e4972e321872c25cd9306bbd1
Opcode Fuzzy Hash: dae82d7df35dd9a4a71d7a9583f704df13c9c7638d8ef574f1d0b7001a534aab
Instruction Fuzzy Hash: D962A230B1DA094FEB68EB6C9465A7573D2FF68310F5501BAE44EC72A6DE24FC428781

Function 00007FFD9B9616B3 Relevance: .9, Instructions: 867
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96491bc8649a6005c1c778ff8b377e53ae9734292a1f82c5b6ee6c80bc5a26da
Instruction ID: 0618286c0ddf2126c30410592b3ccd8fb0c82641e7a4427bddc52f99cb21657f
Opcode Fuzzy Hash: 96491bc8649a6005c1c778ff8b377e53ae9734292a1f82c5b6ee6c80bc5a26da
Instruction Fuzzy Hash: F2320530B1DA5D9FE7A8D76C946563837D1EF95314B1502BAD04EC32E7DE28EC428781

Function 00007FFD9BAC8ED1 Relevance: .9, Instructions: 858COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d7bc0347cfed86739847cfb68cf44ebfd4427c5ea048cef5484b7edfaf4544
Instruction ID: 06319608b704e23c3504e0dd238c3099b7354946ec138ded0a12b8e3f9f74c5b
Opcode Fuzzy Hash: b5d7bc0347cfed86739847cfb68cf44ebfd4427c5ea048cef5484b7edfaf4544
Instruction Fuzzy Hash: CD424931B1EE494FD7A9AF29942567577D1FF9A310F0402BED08EC31E2DE25B9068781

Function 00007FFD9BAC2335 Relevance: .8, Instructions: 804
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8fd66843006b38dbadd3e88d4a5e830e66aefd0d40ff9114c4e62e8afde4ad1
Instruction ID: b211360206d9e216329c2a0525bb97665f851b20fc02c1b9bb69f64a765045e1
Opcode Fuzzy Hash: d8fd66843006b38dbadd3e88d4a5e830e66aefd0d40ff9114c4e62e8afde4ad1
Instruction Fuzzy Hash: E6428470B19A0D8FDBA8EB98C4A5BB877E1FF58300F1541B9D44DD3292DE74A982CB41

Function 00007FFD9BACB7D1 Relevance: .7, Instructions: 679COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a0c255c63149e3cb642a62b062ed0165a7f3e93bddc23571e792fb3e2feaa6
Instruction ID: e7589b35b9e1d08162c1ae06302ca575b78848195a86a92024175e1a7cfa4805
Opcode Fuzzy Hash: 13a0c255c63149e3cb642a62b062ed0165a7f3e93bddc23571e792fb3e2feaa6
Instruction Fuzzy Hash: 0E22A030A18B4D8FDB68EB68C4A1A75B7E1FF58300B54457ED08AC36A2DE35F946CB41

Function 00007FFD9BAC879E Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28936814873898634d2138fab031fde6e53de4445924980d3b509f4ff18910e5
Instruction ID: e7be332022fc52f2f95fcb6c99944c5e8c86e74212fe7115ed92391b7f670991
Opcode Fuzzy Hash: 28936814873898634d2138fab031fde6e53de4445924980d3b509f4ff18910e5
Instruction Fuzzy Hash: A202E171B1DA094BDB68EB689465579B7D1FF98310F05027EE48EC32A2DE24F8428781

Function 00007FFD9BABE8DB Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb97806e406eede3630a29565039edfba0129c9ef2fd995d947529ab78c150e
Instruction ID: 1a5941de2d31593381b30c35daf2f8cd6ddd2e8be840655a25d44f467a7c165f
Opcode Fuzzy Hash: 2fb97806e406eede3630a29565039edfba0129c9ef2fd995d947529ab78c150e
Instruction Fuzzy Hash: 03F17974A1492D8FDFA8DB18C8A5BA8B7B1FB68305F5041EA910DE3291DB716EC1CF44

Function 00007FFD9BABB7D5 Relevance: 1.8, APIs: 1, Instructions: 252
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FFD9BABB99F

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3dfbaf3e62397f0b9dd28b486f3e8369659955fa5fff0e31b06bbb9d80e9e507
Instruction ID: fbdd4faba4e369742ede87041a4b772a3af0b13fede7a44874b975fe6b09e89b
Opcode Fuzzy Hash: 3dfbaf3e62397f0b9dd28b486f3e8369659955fa5fff0e31b06bbb9d80e9e507
Instruction Fuzzy Hash: EA71D530918B8C8FEB68DF28D8567E977E1FF58310F10426AE85DC7252DB74A9418BC2

Function 00007FFD9BABCD49 Relevance: 1.7, APIs: 1, Instructions: 159
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE ref: 00007FFD9BABCE4A

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: e8d8b5c6d8fc6c1b2a7376280d0545394d07a2ee3fbe6593133e4c978effc352
Instruction ID: 6f9ce4a033e82367c707fa33673aeb23be55fbc53a41c02f0d2b8ca0fa218b9c
Opcode Fuzzy Hash: e8d8b5c6d8fc6c1b2a7376280d0545394d07a2ee3fbe6593133e4c978effc352
Instruction Fuzzy Hash: 74418F71E08B1C8FDB58DF58D845AEDBBF1FB99310F0042AAD04DD7296DA74A845CB81

Function 00007FFD9B96C010 Relevance: 1.5, Strings: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|@_H, xrefs: 00007FFD9B96C05E

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID: |@_H
API String ID: 0-890488257
Opcode ID: 3e3b7e8b6b2f078bf3c95da3e02b1471c8dd55725d137a492f299757f75695bd
Instruction ID: 0b952cff64ac764cd81cc3d204b1d04691b00e78836eebc66a5cbacec470da81
Opcode Fuzzy Hash: 3e3b7e8b6b2f078bf3c95da3e02b1471c8dd55725d137a492f299757f75695bd
Instruction Fuzzy Hash: 1C712321B1EB895FE765EB6C88656247BE1EF66310B0A01FFE44DC71B3D919AC41C341

Function 00007FFD9B96D9CA Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFD9B96DA72

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 028fdb019236fc86b5cfe09f47e77201e93e4db43b12f6be91721546a45f3cab
Instruction ID: 9022df375225d3ce041cabfd68bf6007edcfd885ee5e734864ccf741aab1cb4f
Opcode Fuzzy Hash: 028fdb019236fc86b5cfe09f47e77201e93e4db43b12f6be91721546a45f3cab
Instruction Fuzzy Hash: 2E41957172CE0D8FDBA8EB1CD465A64B3D1FF98710B1502AAE05EC7276DE25EC428781

Function 00007FFD9B897D65 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f95ec4ead921ee39aab58d00ae2736c2af70d5445c73c4571d26b4d5729d19
Instruction ID: ad533aecc57070dac0eb270ff7eb66add10220112653afe0888abe27a57a2cce
Opcode Fuzzy Hash: c0f95ec4ead921ee39aab58d00ae2736c2af70d5445c73c4571d26b4d5729d19
Instruction Fuzzy Hash: 9AD15271A0995D4FEBA8EB188865AA8B7F1FF68340F5141F9E01CD3296DF346E818F41

Function 00007FFD9B893299 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc21d51fd5a4ecfb583135e83cdc3ff64354c0a32b74585f54a431b39abf14b
Instruction ID: f24b68c7065799d4bce285a422ff548516cc85b4f73bb7ee65f59cc3a86ee23e
Opcode Fuzzy Hash: 7fc21d51fd5a4ecfb583135e83cdc3ff64354c0a32b74585f54a431b39abf14b
Instruction Fuzzy Hash: 81C13C70E0965D8FEFA8DB98C8657A8BBB1FF58300F5141BAD00DE3296DE346981CB41

Function 00007FFD9B890F4F Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a6a3544767a5ff5d2b613d35bfc6166c436ee350d7de7b24a786e3be6e4e84
Instruction ID: a3289325359a6d03fb872003e37a80f8ab003e6a0e33fe5cef111852a4ac5425
Opcode Fuzzy Hash: 36a6a3544767a5ff5d2b613d35bfc6166c436ee350d7de7b24a786e3be6e4e84
Instruction Fuzzy Hash: 80D15374A09A1C8FDFA4EB18C898BA8B7B5FF59301F5541E9910DE7265DA30AE81CF40

Function 00007FFD9B890DF5 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e6ab4ca953b0127545671bd5270954ff3fc1e06412836794c3c3d005c5ee28b
Instruction ID: 81491f9015ab2951ce1bf885578c507bbc418f7d425ec79248b26ef8fd03dda7
Opcode Fuzzy Hash: 2e6ab4ca953b0127545671bd5270954ff3fc1e06412836794c3c3d005c5ee28b
Instruction Fuzzy Hash: 9CC19871A09A1D8FDBA5DB58C898BA8B7B5FF58300F1141E9D00DE72A5DB34AE81CF40

Function 00007FFD9B96BD71 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec1483e981144a811a4eb220bfe4fc0ca4c271a75d12699a7b7a5f4d8005276
Instruction ID: b6a9e58bb649d3924d19020945b71b9796cb281ad12f800717450b47a6efebdd
Opcode Fuzzy Hash: 2ec1483e981144a811a4eb220bfe4fc0ca4c271a75d12699a7b7a5f4d8005276
Instruction Fuzzy Hash: 4E81267171DF4C9FDBA9DB1C9465A757BE1EF99310B0601AEE44AC72B3E924EC028381

Function 00007FFD9B891EDE Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68733cbc260db7490f8e25e37276a4a91a228abd40aec66c1f0209861192ff0
Instruction ID: be2aa77b35d62ff30a28a77b9a1163d7592fb04591bae6a698e2675d0ba1e44b
Opcode Fuzzy Hash: a68733cbc260db7490f8e25e37276a4a91a228abd40aec66c1f0209861192ff0
Instruction Fuzzy Hash: 2FB1EA74A09A1D8FDFA9EB58C8A5BA877B5EF58300F1101E9D41DD72A1DB34AE81CF40

Function 00007FFD9B9622EB Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1978264ae7a4b59cd9cfa6673060ea19ae58bafb70e7f35b75ed0749f49a7e3e
Instruction ID: 131a9879493c000f2a4735e8df5039dd2de63a6d7d5a40eca4250f8df21d3236
Opcode Fuzzy Hash: 1978264ae7a4b59cd9cfa6673060ea19ae58bafb70e7f35b75ed0749f49a7e3e
Instruction Fuzzy Hash: 89812330B1DA494FE7A9D7AC8465A743BD1EF9A310B1501BBD44EC72F3DE18AD428381

Function 00007FFD9B892FF0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed8e38b09bfcfe7b4412e79409118b158f89eefbb1f9a119754b9002246a178
Instruction ID: ab1782b6590fe612a54fdda287342f062d257c6d1676102ad2cc4d9fc76a9885
Opcode Fuzzy Hash: aed8e38b09bfcfe7b4412e79409118b158f89eefbb1f9a119754b9002246a178
Instruction Fuzzy Hash: FA91D471B0DA4D4FEF54CB5C98696AD7BE1FF9C340F05027AE04DE32A2DB2569018B41

Function 00007FFD9B8915AE Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91341eace746ba46a9a57ef1497f7c76fa49f53033d0585a6ade76a254dc5e7a
Instruction ID: 0f211f8202f175b28f63c9d32031c6df41c43ac930e7bcafda650fa67dbe0ce7
Opcode Fuzzy Hash: 91341eace746ba46a9a57ef1497f7c76fa49f53033d0585a6ade76a254dc5e7a
Instruction Fuzzy Hash: 72B17670A1961D8FDBA9EB58C894BA8B7B5FF58300F5001E9D00DE72A5DB34AE81CF40

Function 00007FFD9B96C268 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee54121e62cf80431e512314573a00ff31c93d7756c347ec6fb1d7f98e5a6e
Instruction ID: 53e8e66a28ce654c6b1b6ad84557d2bd4bf5a9af0bb0b8dec57343f7ac21d359
Opcode Fuzzy Hash: 4bee54121e62cf80431e512314573a00ff31c93d7756c347ec6fb1d7f98e5a6e
Instruction Fuzzy Hash: ED61043171DA4C8FDBA8DA5C9465A3577E2FF99710B0101BEF44EC32A2DE21EC428781

Function 00007FFD9B892E90 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ec9206590251c523430fabf540aba1422ad4c6bdeba2d574c04a6b6367ea96
Instruction ID: 3c220db9664da3eff9fe60565dfbf835db27586808103e7ed2fd53f186d4197b
Opcode Fuzzy Hash: b0ec9206590251c523430fabf540aba1422ad4c6bdeba2d574c04a6b6367ea96
Instruction Fuzzy Hash: 4591D930A1991D8FDFA4EB98D4A5BAC7BF5FF58310F4101A9E00DD72A6DE34A981CB40

Function 00007FFD9B96D189 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0dad5f377bcb3375bd40263b2e2ae1e41e71773646c97a6b1237dd621df93e
Instruction ID: f4cf4749396d8a3336b9baec48dd6dddde105e138efcf6b584811305ff9851d2
Opcode Fuzzy Hash: dc0dad5f377bcb3375bd40263b2e2ae1e41e71773646c97a6b1237dd621df93e
Instruction Fuzzy Hash: EA61E771B1DB885FE759DB1C58659243BE2FF9A35070A02EFE499C72B3DD15AC028341

Function 00007FFD9B891F71 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bec1dbd4715ed40bf4f21dc8d89787cd249b39e8a5a0f1eab22dc86a2f7fe79
Instruction ID: f8299d7f2e9bdcf207ee6f628d51603d822317dd46d94c8ee08901c158c40b40
Opcode Fuzzy Hash: 7bec1dbd4715ed40bf4f21dc8d89787cd249b39e8a5a0f1eab22dc86a2f7fe79
Instruction Fuzzy Hash: F8916774A0961D8FDFA9EB58C894BA8B7B5EF59301F1001E9900DE7265CB71AE81CF41

Function 00007FFD9B891E4F Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6daad007c9d0ac5ebc79529a86f51308c41abd31b63b82966e1beec3fea0e72e
Instruction ID: 89bcc5817236da19839b756c453130284e0b5df06481c9e858e1d9103290d59c
Opcode Fuzzy Hash: 6daad007c9d0ac5ebc79529a86f51308c41abd31b63b82966e1beec3fea0e72e
Instruction Fuzzy Hash: 55819630A0961D8FDFA9EB58C894BA8B7F5EF59301F1101A9D00DE72A5DB34AE81CF41

Function 00007FFD9B8930DD Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8b337cb2649f47bbb0a4f24bdb1e386b03b1adb96cd17edd2b67564b729b08
Instruction ID: 186e79a1cb4845ea8c00570f582c210724f7bdcd464299eea170c5eab7be0f6b
Opcode Fuzzy Hash: cc8b337cb2649f47bbb0a4f24bdb1e386b03b1adb96cd17edd2b67564b729b08
Instruction Fuzzy Hash: 32411C22B0F6A64BDB16A7ECBC745E87F60EF41269B0941F7D198CA0E7EC1415468380

Function 00007FFD9B892F0D Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f5fa51ae638678f182bcb1aa81b7d3feaad608d5bfb77e188430652a10633d
Instruction ID: 42f5361f8d4445e0eee501d86fdb588b063f06917c8009672d787914d526ac2a
Opcode Fuzzy Hash: 44f5fa51ae638678f182bcb1aa81b7d3feaad608d5bfb77e188430652a10633d
Instruction Fuzzy Hash: 4B519D31A09A5D8FDF55EFA8C865AED7BF0FF58304F0001BAE409D3296DA34A941CB81

Function 00007FFD9B96031D Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b204c4dacc6e37dbbc32eae5c8f725ebc4ad5ecaddb17bac8ac3d200e0f39105
Instruction ID: 21db1cc2e92cce334b74c896295be61193afef36ef2be8d8684380fe7dcfdd96
Opcode Fuzzy Hash: b204c4dacc6e37dbbc32eae5c8f725ebc4ad5ecaddb17bac8ac3d200e0f39105
Instruction Fuzzy Hash: 2F413A3170EB885FD76A976898A5A643FE0EF5672170902FBD049C72F7D918AD06C381

Function 00007FFD9B890A52 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515da8b898e32f5002a19d67496f8b8b73add18f1b807ed7def842b5ce0267f7
Instruction ID: ebc4199ed5b670c751177ab08bdb86589abfe4f047d22a2fee13d633d0cda04f
Opcode Fuzzy Hash: 515da8b898e32f5002a19d67496f8b8b73add18f1b807ed7def842b5ce0267f7
Instruction Fuzzy Hash: 02418371D18A4C8EE798CF68C8A47A97FE1FB59704F50016EC119D77C9DBB52505CB80

Function 00007FFD9B892CE4 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac7ac1f7bee1a83e1c6873a7d52c28f6acf3bc5c474fb9b20bcf818d161f986
Instruction ID: 0b2fdde9fe5c8f5bfa61e05fbb579f1c50e09ab1499c5424ba6859fd1ba0a0d0
Opcode Fuzzy Hash: 8ac7ac1f7bee1a83e1c6873a7d52c28f6acf3bc5c474fb9b20bcf818d161f986
Instruction Fuzzy Hash: 23313871A0F6CD4FEF69DFA488685A87FA0FF19704F0500FAD458C70E2DA25AA48C701

Function 00007FFD9B8930D0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4e12e3082795658d3b40db99ee0bdde7719681e1dd07ebb26ee423f0ab367a
Instruction ID: 674f3a9226cf32b8256addd2759fed63fb3a61f8b03deae15a1db1e8f0036191
Opcode Fuzzy Hash: fc4e12e3082795658d3b40db99ee0bdde7719681e1dd07ebb26ee423f0ab367a
Instruction Fuzzy Hash: 5D21A032B0994D8FEF54DF5C98682A97BE2FFCC300F14426AE40DE3291DB3569018B51

Function 00007FFD9B89275A Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40448f70e574230bea66569dca5929f9cb0a57145b6f514748fb688e54f8769
Instruction ID: 14b209d65b5789fcd2959b933e6145499af762dae937624782be871a53e5e2aa
Opcode Fuzzy Hash: d40448f70e574230bea66569dca5929f9cb0a57145b6f514748fb688e54f8769
Instruction Fuzzy Hash: 4521E731B1A58E9FFB5CEFA888755A87BA0FF58300F4505BAE05DC71E3DD2469818742

Function 00007FFD9B9604FD Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aae699ef5c9c49c8087ad864be5d639fc7774665b911054a67045bde243bd9
Instruction ID: 80b25b52ef9be8df9c5cdd384da3d70188d7ff3f44e0a33f8b061ab1b481cd92
Opcode Fuzzy Hash: 14aae699ef5c9c49c8087ad864be5d639fc7774665b911054a67045bde243bd9
Instruction Fuzzy Hash: EB110D61B1FA895FEBA9D71C44F153437D1EF59750B1501BAD04DC72F6DE14AC418301

Function 00007FFD9B962119 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6b95f251f5cce6754285d97294153088777019eaef15790beb3ee14eb78436
Instruction ID: 6fda3896dd2044794394ce2c43b28ba730c2d24af53e19cd57eb6ff5533b25be
Opcode Fuzzy Hash: ba6b95f251f5cce6754285d97294153088777019eaef15790beb3ee14eb78436
Instruction Fuzzy Hash: 5A11C861B1FA895FE7A9DB6C847463437D2EFA8750B1A40BEE05DC72F2DE24AC418301

Function 00007FFD9B9606E0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294559cb6c439fc5f1694e116cdf4e5b18d2957745998fd4152a03766caae09d
Instruction ID: e8b9d57f250c35c1c71bb3fce47a5965bfe81480a313a23f8c89381aab509b0b
Opcode Fuzzy Hash: 294559cb6c439fc5f1694e116cdf4e5b18d2957745998fd4152a03766caae09d
Instruction Fuzzy Hash: CA115C71B2E6895FD7A9DB5C84A45243BD1EFA4B10B1A01BAD04CC72B6CD299D018301

Function 00007FFD9B890D01 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c1ff5f737d00d4a735ce4de26da8ee5d9633c96b3b9c36097e2c8d7b0afd0c
Instruction ID: af3bc6750d78d3b0f62a4d81c2be20a423c4f283decfb6383fa343c0fb797fe8
Opcode Fuzzy Hash: c9c1ff5f737d00d4a735ce4de26da8ee5d9633c96b3b9c36097e2c8d7b0afd0c
Instruction Fuzzy Hash: 0901C872E1E54D6FEB95AB6888766F87FA0EF59700F4106BBE448C60E7DD2936408701

Function 00007FFD9B9607CE Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1757123970.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab6552d8715ca7afeb8ca1caff1ec76e8c173a8aa716ba5a6ace31aa06828ac
Instruction ID: 7f50b66178f6bf5ffe886158a9832a1197ccd8dbdd159e18a73e87abeab79f40
Opcode Fuzzy Hash: fab6552d8715ca7afeb8ca1caff1ec76e8c173a8aa716ba5a6ace31aa06828ac
Instruction Fuzzy Hash: FB11C230B1EA899FDFA5DB2884E4A287BE1EF55710B1901ADD04DC71E6CA29EC80C781

Function 00007FFD9B890850 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1062ac3eb224ac91e1982989b6a6d2d5a602fa2fa49a97ab3277997dab3784e0
Instruction ID: 088c929c97cf57fcc7e797ab08d83de41981b0f9af6694fdee10a723fe63e6aa
Opcode Fuzzy Hash: 1062ac3eb224ac91e1982989b6a6d2d5a602fa2fa49a97ab3277997dab3784e0
Instruction Fuzzy Hash: 8F01A712B1E59946DB2667EC6C751E53B50EF46228F0901B3E49C950E7DC0856578291

Function 00007FFD9B893775 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f032ec117e28d593f0e6e3ef0b9339a23a2662e6d2013b05bc5b3fa6fec28ad3
Instruction ID: 90f793627ce3bd05485d5ad80a13a001f7d6f676cbf1addf8bb0e3e94a5e4eae
Opcode Fuzzy Hash: f032ec117e28d593f0e6e3ef0b9339a23a2662e6d2013b05bc5b3fa6fec28ad3
Instruction Fuzzy Hash: 45014870908A4D8FDF84EF58C898AEA7BF0FF68300F0005AAD418C72A1DB309694CB81

Function 00007FFD9B892FA8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33013d894c22d45a84f4051c49a236676e2a7d8210ee9c326b4db14c26462f69
Instruction ID: 6db5a5d53b94ee0cbc5b1c1062b08fe0a7a540278530c8178c6a2ac6eee89d1e
Opcode Fuzzy Hash: 33013d894c22d45a84f4051c49a236676e2a7d8210ee9c326b4db14c26462f69
Instruction Fuzzy Hash: A301C430914A4D9FDF84EF68C849AEA7BF0FB28305F00056AA81DD3264DB30A690CB81

Function 00007FFD9B892EE0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4818beb7d8ae29dcc8cfdbd57b50aa597e0f3f5d2a8cf0924f18164ce9a7f215
Instruction ID: 160581c046fa9086e28c2e42d4e89d805541e7c2d90691435b73edd4f31baea1
Opcode Fuzzy Hash: 4818beb7d8ae29dcc8cfdbd57b50aa597e0f3f5d2a8cf0924f18164ce9a7f215
Instruction Fuzzy Hash: C701D630914A0D9FDF84EF68C849AEE7BF0FB68305F11056AA81DD3260DB70A690CB81

Function 00007FFD9B8921F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952b103b812b7b8fb00e2d22b6c6b50a897c612e5a8be4c913220dec184efd92
Instruction ID: 8fee4319ecf92aaaa2bab91f7ae38f2a991d35292f11f5232b0f6b16581eac5f
Opcode Fuzzy Hash: 952b103b812b7b8fb00e2d22b6c6b50a897c612e5a8be4c913220dec184efd92
Instruction Fuzzy Hash: 80017C30A09A8D8FCB85EFA8C858AAD7BF0FF19300F0505EAD018C72A2D734D944CB01

Function 00007FFD9B892F08 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67219346d8a281f75ae41fd9c65d73e3173ac72fe1ddd25d54b8c9a03cb41a63
Instruction ID: be99936f6b5a91551b527530519e4989bf188f9d8d17feb313db69ece6caa16a
Opcode Fuzzy Hash: 67219346d8a281f75ae41fd9c65d73e3173ac72fe1ddd25d54b8c9a03cb41a63
Instruction Fuzzy Hash: 2E01B67091491D8FDF84EF98C858AEE7BF0FB68305F10056AA41DD32A4DB30A690CB80

Function 00007FFD9B893790 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a45a3da5e92f84b4d35d0173d5d24c3bffe590e1f948867afabfbaf7b857c3b
Instruction ID: cc2e20f86255fbeb42a9e7d8da85424ecaad23da2b5e04fdf690efd7e19b3dc9
Opcode Fuzzy Hash: 5a45a3da5e92f84b4d35d0173d5d24c3bffe590e1f948867afabfbaf7b857c3b
Instruction Fuzzy Hash: F001C47091490D9FDF84EF68C848AFEBBF0FB68305F00056AE419D32A4DB70A694CB81

Function 00007FFD9B890D99 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc4836d589654de883fc4dbf57e4a7c295d45d2e234b7041cdf239c50e212a1
Instruction ID: fe9565e35a69cfe1fccefa2cfbbace5cd4cc6a782129f3c9958acbda7ffe987b
Opcode Fuzzy Hash: bbc4836d589654de883fc4dbf57e4a7c295d45d2e234b7041cdf239c50e212a1
Instruction Fuzzy Hash: 42F0F67291E78C8FEB669B6488691E87FF0FF59710F4601EBD048CB0E3E92925848301

Function 00007FFD9B892D70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166b8eb897dbd196e916ba460d730ddf1393018a18ea00a73403a0f75c03ed67
Instruction ID: e5d98363eadd930e04137f5855384092bbc19e5a500cc0283a10cfe6763fc306
Opcode Fuzzy Hash: 166b8eb897dbd196e916ba460d730ddf1393018a18ea00a73403a0f75c03ed67
Instruction Fuzzy Hash: AAF01C3491494C9FDF88EFA8C458AE9BBF0FF68305F4041AAE41DC31A4DB31A694CB41

Function 00007FFD9B890873 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1756509337.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4492ffafd4585d7a4354cd97e2324674d1013e8c4cebf756bdf5ec43efaa1727
Instruction ID: d71dcdc0412bd8d535d5081844ffa0b07af98ff1d4042bb8400315c75f94da6d
Opcode Fuzzy Hash: 4492ffafd4585d7a4354cd97e2324674d1013e8c4cebf756bdf5ec43efaa1727
Instruction Fuzzy Hash: F0F0126291E6CD5EDB6327F41C251A47F70AF57204F4A01A3E498DA0E7D91C5A18C362

Non-executed Functions

Function 00007FFD9BAC9683 Relevance: 1.3, Instructions: 1258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca6b62e7f33f89df51894b887757716f0fd5d0191013d73438cbcc8dc822350
Instruction ID: a13e84021698095b274c9bed1bd0ca7bd06772852a8ff51af96bdb3d53e92639
Opcode Fuzzy Hash: 3ca6b62e7f33f89df51894b887757716f0fd5d0191013d73438cbcc8dc822350
Instruction Fuzzy Hash: E1920331B1EE4E4BEBADEB68902457577D1FF99310B1502BED04EC32E6DE25B9028781

Function 00007FFD9BAC9C18 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758070361.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bab0000_7xweUz2MYa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b2e5283c975e1a101fdd49c16957e3501d132656d395a05af349dd08598d7db
Instruction ID: 27061ed7565eced7e098ee295f37cb1af3304b5107df478d625d22d63c7b107f
Opcode Fuzzy Hash: 1b2e5283c975e1a101fdd49c16957e3501d132656d395a05af349dd08598d7db
Instruction Fuzzy Hash: 03D11231B1DA4A4FDB6DEB2994649B1B7D1FF69310B0001BED09EC36D7EE25B8028781

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7xweUz2MYa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7xweUz2MYa.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
7xweUz2MYa.exe

Function 00007FFD9BABDDF9 Relevance: 3.1, Instructions: 3068
COMMON

Function 00007FFD9BACF869 Relevance: 2.4, APIs: 1, Instructions: 859
COMMON

Function 00007FFD9BAB8BE9 Relevance: 2.2, Strings: 1, Instructions: 996
COMMON

Function 00007FFD9B96C4CA Relevance: 2.0, Strings: 1, Instructions: 766
COMMON

Function 00007FFD9BAC168D Relevance: 1.1, Instructions: 1114
COMMON

Function 00007FFD9B9616B3 Relevance: .9, Instructions: 867
COMMON

Function 00007FFD9BAC2335 Relevance: .8, Instructions: 804
COMMON

Function 00007FFD9BABB7D5 Relevance: 1.8, APIs: 1, Instructions: 252
fileCOMMON

Function 00007FFD9BABCD49 Relevance: 1.7, APIs: 1, Instructions: 159
fileCOMMON

Function 00007FFD9B96C010 Relevance: 1.5, Strings: 1, Instructions: 268
COMMON

Function 00007FFD9B96D9CA Relevance: 1.4, Strings: 1, Instructions: 153
COMMON