Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nXkktDu3Fp.exe

Overview

General Information

Sample name:nXkktDu3Fp.exe
renamed because original name is a hash value
Original sample name:bcec5c797faf738920070f42a97f46726d01cedd.exe
Analysis ID:1582806
MD5:3823f08e6d1a00d78f0c51e1ecd75803
SHA1:bcec5c797faf738920070f42a97f46726d01cedd
SHA256:6cdd01dc1dda6872082866f07b2310ad1440da47bca77c48c3f47d10b87f8305
Tags:exeuser-NDA0E
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • nXkktDu3Fp.exe (PID: 7732 cmdline: "C:\Users\user\Desktop\nXkktDu3Fp.exe" MD5: 3823F08E6D1A00D78F0C51E1ECD75803)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.81.68.147:1912"], "Bot Id": "sdgd", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
nXkktDu3Fp.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    nXkktDu3Fp.exeinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
    • 0x24cc3:$gen01: ChromeGetRoamingName
    • 0x24ce8:$gen02: ChromeGetLocalName
    • 0x24d2b:$gen03: get_UserDomainName
    • 0x28bc4:$gen04: get_encrypted_key
    • 0x27943:$gen05: browserPaths
    • 0x27c19:$gen06: GetBrowsers
    • 0x27501:$gen07: get_InstalledInputLanguages
    • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
    • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
    • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
    • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
    • 0x296f4:$spe9: *wallet*
    • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
    • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
    • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
    • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
    • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
    • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
    • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
    • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1372359478.0000000000F62000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: nXkktDu3Fp.exe PID: 7732JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: nXkktDu3Fp.exe PID: 7732JoeSecurity_RedLineYara detected RedLine StealerJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.nXkktDu3Fp.exe.f60000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.0.nXkktDu3Fp.exe.f60000.0.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                  • 0x24cc3:$gen01: ChromeGetRoamingName
                  • 0x24ce8:$gen02: ChromeGetLocalName
                  • 0x24d2b:$gen03: get_UserDomainName
                  • 0x28bc4:$gen04: get_encrypted_key
                  • 0x27943:$gen05: browserPaths
                  • 0x27c19:$gen06: GetBrowsers
                  • 0x27501:$gen07: get_InstalledInputLanguages
                  • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                  • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                  • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                  • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                  • 0x296f4:$spe9: *wallet*
                  • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                  • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                  • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                  • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                  • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                  • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                  • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                  • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-31T15:02:23.613370+010020432341A Network Trojan was detected185.81.68.1471912192.168.2.749748TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-31T15:02:23.393641+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:28.704717+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:29.416513+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:29.641157+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:29.932078+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:30.288762+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:30.514710+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:30.735115+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:30.962613+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:31.232852+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:31.476450+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:32.124057+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:32.129104+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:33.214065+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:33.521094+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:33.742493+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:35.126209+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:35.350872+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:35.599047+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:35.878864+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:36.293448+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:36.513469+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:36.733895+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  2024-12-31T15:02:36.989945+010020432311A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-31T15:02:29.421595+010020460561A Network Trojan was detected185.81.68.1471912192.168.2.749748TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-31T15:02:23.393641+010020460451A Network Trojan was detected192.168.2.749748185.81.68.1471912TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: nXkktDu3Fp.exeMalware Configuration Extractor: RedLine {"C2 url": ["185.81.68.147:1912"], "Bot Id": "sdgd", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                  Multi AV Scanner detection for submitted file
                  Source: nXkktDu3Fp.exeVirustotal: Detection: 72%Perma Link
                  Source: nXkktDu3Fp.exeReversingLabs: Detection: 70%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: nXkktDu3Fp.exeJoe Sandbox ML: detected
                  Source: nXkktDu3Fp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: nXkktDu3Fp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbw source: nXkktDu3Fp.exe, 00000000.00000002.1545624725.0000000006529000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: nXkktDu3Fp.exe, 00000000.00000002.1545834719.0000000006538000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer328AO source: nXkktDu3Fp.exe, 00000000.00000002.1545624725.00000000064E0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: nXkktDu3Fp.exe, 00000000.00000002.1547711895.00000000075B7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: nXkktDu3Fp.exe, 00000000.00000002.1530772039.0000000001560000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: nXkktDu3Fp.exe, 00000000.00000002.1545834719.0000000006538000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.7:49748 -> 185.81.68.147:1912
                  Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.7:49748 -> 185.81.68.147:1912
                  Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 185.81.68.147:1912 -> 192.168.2.7:49748
                  Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.81.68.147:1912 -> 192.168.2.7:49748
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 185.81.68.147:1912
                  Source: global trafficTCP traffic: 192.168.2.7:49748 -> 185.81.68.147:1912
                  Source: Joe Sandbox ViewIP Address: 185.81.68.147 185.81.68.147
                  Source: Joe Sandbox ViewASN Name: KLNOPT-ASFI KLNOPT-ASFI
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.81.68.147
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1531710483.000000000193C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.3/pho
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1531710483.000000000193C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c0/exi
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1531710483.000000000193C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.ao
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1531710483.000000000193C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.axif/1.
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1531710483.000000000193C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.d
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModel
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModelD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModeld
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/:hardwares.
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: nXkktDu3Fp.exeString found in binary or memory: https://api.ip.sb/ip
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: nXkktDu3Fp.exe, type: SAMPLEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.0.nXkktDu3Fp.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeCode function: 0_2_0190DC740_2_0190DC74
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeCode function: 0_2_0585EFF80_2_0585EFF8
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeCode function: 0_2_058589F00_2_058589F0
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeCode function: 0_2_058500070_2_05850007
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeCode function: 0_2_058500400_2_05850040
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeCode function: 0_2_058589E00_2_058589E0
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1530727946.00000000014FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs nXkktDu3Fp.exe
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs nXkktDu3Fp.exe
                  Source: nXkktDu3Fp.exe, 00000000.00000000.1372386491.0000000000FA6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs nXkktDu3Fp.exe
                  Source: nXkktDu3Fp.exeBinary or memory string: OriginalFilenameSteanings.exe8 vs nXkktDu3Fp.exe
                  Source: nXkktDu3Fp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: nXkktDu3Fp.exe, type: SAMPLEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.0.nXkktDu3Fp.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@0/1
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeMutant created: NULL
                  Source: nXkktDu3Fp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: nXkktDu3Fp.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003781000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000376B000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003814000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000038A8000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000037FE000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003892000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000475F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: nXkktDu3Fp.exeVirustotal: Detection: 72%
                  Source: nXkktDu3Fp.exeReversingLabs: Detection: 70%
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: nXkktDu3Fp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: nXkktDu3Fp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbw source: nXkktDu3Fp.exe, 00000000.00000002.1545624725.0000000006529000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: nXkktDu3Fp.exe, 00000000.00000002.1545834719.0000000006538000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer328AO source: nXkktDu3Fp.exe, 00000000.00000002.1545624725.00000000064E0000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: nXkktDu3Fp.exe, 00000000.00000002.1547711895.00000000075B7000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: nXkktDu3Fp.exe, 00000000.00000002.1530772039.0000000001560000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: nXkktDu3Fp.exe, 00000000.00000002.1545834719.0000000006538000.00000004.00000020.00020000.00000000.sdmp
                  Source: nXkktDu3Fp.exeStatic PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeCode function: 0_2_0585D5E2 push eax; ret 0_2_0585D5F1
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeMemory allocated: 1900000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeMemory allocated: 3340000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeMemory allocated: 3240000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWindow / User API: threadDelayed 1054Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWindow / User API: threadDelayed 2698Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exe TID: 7976Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exe TID: 7752Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1530772039.00000000015C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$$]
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                  Source: nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000454F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Users\user\Desktop\nXkktDu3Fp.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: nXkktDu3Fp.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.nXkktDu3Fp.exe.f60000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1372359478.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nXkktDu3Fp.exe PID: 7732, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                  Source: C:\Users\user\Desktop\nXkktDu3Fp.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                  Source: Yara matchFile source: 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nXkktDu3Fp.exe PID: 7732, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: nXkktDu3Fp.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.nXkktDu3Fp.exe.f60000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1372359478.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nXkktDu3Fp.exe PID: 7732, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		221
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                  Virtualization/Sandbox Evasion                  		Security Account Manager241
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Obfuscated Files or Information                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets113
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  nXkktDu3Fp.exe72%VirustotalBrowse
                  nXkktDu3Fp.exe70%ReversingLabsByteCode-MSIL.Trojan.RedLineStealz
                  nXkktDu3Fp.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://schemas.datacontract.org/2004/07/System.ServiceModeld0%Avira URL Cloudsafe
                  http://ns.adobe.3/pho0%Avira URL Cloudsafe
                  http://ns.d0%Avira URL Cloudsafe
                  http://schemas.datacontract.org/2004/07/System.ServiceModel0%Avira URL Cloudsafe
                  http://ns.axif/1.0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  185.81.68.147:1912false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/chrome_newtabnXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dknXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.datacontract.orgnXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id14ResponseDnXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id23ResponseDnXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinarynXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id12ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.datacontract.org/2004/07/System.ServiceModeldnXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id2ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id21ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id9nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id8nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id6ResponseDnXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id5nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/PreparenXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id4nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id7nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id6nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id19ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licensenXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssuenXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortednXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id13ResponseDnXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/faultnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsatnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeynXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id15ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id5ResponseDnXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namenXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisternXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id6ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeynXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://api.ip.sb/ipnXkktDu3Fp.exefalse
                                                                                                        		high
                                                                                                        http://schemas.datacontract.org/2004/07/nXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/scnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id1ResponseDnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id9ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://ns.dnXkktDu3Fp.exe, 00000000.00000002.1531710483.000000000193C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id20nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id21nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id22nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id23nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id24nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://ns.adobe.3/phonXkktDu3Fp.exe, 00000000.00000002.1531710483.000000000193C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssuenXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.datacontract.org/2004/07/System.ServiceModelnXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      http://tempuri.org/Entity/Id24ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.ecosia.org/newtab/nXkktDu3Fp.exe, 00000000.00000002.1537231252.0000000004832000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1537231252.000000000437B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://tempuri.org/Entity/Id1ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestednXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlynXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplaynXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegonXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinarynXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeynXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://tempuri.org/Entity/Id21ResponseDnXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressingnXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssuenXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://ns.axif/1.nXkktDu3Fp.exe, 00000000.00000002.1531710483.000000000193C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trustnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://tempuri.org/Entity/Id10nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://tempuri.org/Entity/Id11nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://tempuri.org/Entity/Id12nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://tempuri.org/Entity/Id16ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://tempuri.org/Entity/Id13nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://tempuri.org/Entity/Id14nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmp, nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003414000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://tempuri.org/Entity/Id15nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://tempuri.org/Entity/Id16nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/NoncenXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://tempuri.org/Entity/Id17nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://tempuri.org/Entity/Id18nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://tempuri.org/Entity/Id5ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://tempuri.org/Entity/Id19nXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsnXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://tempuri.org/Entity/Id15ResponseDnXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000341C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://tempuri.org/Entity/Id10ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewnXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://tempuri.org/Entity/Id11ResponseDnXkktDu3Fp.exe, 00000000.00000002.1532091673.000000000369C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://tempuri.org/Entity/Id8ResponsenXkktDu3Fp.exe, 00000000.00000002.1532091673.0000000003341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeynXkktDu3Fp.exe, 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high

                                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                                                Public IPs

                                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                185.81.68.147
                                                                                                                                                                                                                		unknownFinland
                                                                                                                                                                                                                		50108KLNOPT-ASFItrue

                                                                                                                                                                                                                General Information

                                                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                Analysis ID:1582806
                                                                                                                                                                                                                Start date and time:2024-12-31 15:01:11 +01:00
                                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                Overall analysis duration:0h 3m 55s
                                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                Number of analysed new started processes analysed:5
                                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                                Sample name:nXkktDu3Fp.exe
                                                                                                                                                                                                                renamed because original name is a hash value
                                                                                                                                                                                                                Original Sample Name:bcec5c797faf738920070f42a97f46726d01cedd.exe
                                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@1/1@0/1
                                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                                                • Number of executed functions: 16
                                                                                                                                                                                                                • Number of non-executed functions: 3
                                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                                                                • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                                Warnings

                                                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                                                                                                                                                                                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                                                                                Simulations

                                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                                09:02:33API Interceptor21x Sleep call for process: nXkktDu3Fp.exe modified

                                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                                IPs

                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                185.81.68.14752kYJGCon6.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                                                                • 185.81.68.147/data.php
                                                                                                                                                                                                                CwQQqCmqkY.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                                                                • 185.81.68.147/gg.php
                                                                                                                                                                                                                uFVgJVXaEU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                • 185.81.68.147/VzCAHn.php?2F409E82DCA61388941053
                                                                                                                                                                                                                m5804Te9Uw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                • 185.81.68.147/VzCAHn.php?443320E440F81953448019
                                                                                                                                                                                                                3Qv3xyyL5G.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                • 185.81.68.147/VzCAHn.php?65D35BAB97073674480464
                                                                                                                                                                                                                K6qneGSDSB.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                                                                                                                                                                • 185.81.68.147/VzCAHn.php?616766F8886C145454191
                                                                                                                                                                                                                file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                • 185.81.68.147/tizhyf/gate.php?232B06DEE822786254513
                                                                                                                                                                                                                mggoBrtk9t.exeGet hashmaliciousAmadey, RedLineBrowse
                                                                                                                                                                                                                • 185.81.68.147/7vhfjke3/index.php
                                                                                                                                                                                                                D72j5I83wU.dllGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                • 185.81.68.147/7vhfjke3/index.php
                                                                                                                                                                                                                D72j5I83wU.dllGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                • 185.81.68.147/7vhfjke3/index.php

                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                No context

                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                KLNOPT-ASFI52kYJGCon6.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                                                                • 185.81.68.147
                                                                                                                                                                                                                CwQQqCmqkY.exeGet hashmaliciousMicroClipBrowse
                                                                                                                                                                                                                • 185.81.68.147
                                                                                                                                                                                                                uFVgJVXaEU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                • 185.81.68.147
                                                                                                                                                                                                                m5804Te9Uw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                • 185.81.68.147
                                                                                                                                                                                                                3Qv3xyyL5G.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                • 185.81.68.147
                                                                                                                                                                                                                K6qneGSDSB.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                                                                                                                                                                • 185.81.68.147
                                                                                                                                                                                                                file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                • 185.81.68.147
                                                                                                                                                                                                                mggoBrtk9t.exeGet hashmaliciousAmadey, RedLineBrowse
                                                                                                                                                                                                                • 185.81.68.148
                                                                                                                                                                                                                D72j5I83wU.dllGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                • 185.81.68.148
                                                                                                                                                                                                                D72j5I83wU.dllGet hashmaliciousAmadeyBrowse
                                                                                                                                                                                                                • 185.81.68.148

                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                No context

                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                No context

                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nXkktDu3Fp.exe.log

                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                Process:C:\Users\user\Desktop\nXkktDu3Fp.exe
                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                Size (bytes):3293
                                                                                                                                                                                                                Entropy (8bit):5.3364558769830905
                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5sql:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qp
                                                                                                                                                                                                                MD5:4597EFE428DB18BB65EEC00E0E0EC7B1
                                                                                                                                                                                                                SHA1:FC763F5655835DFA6E032D20FE81DE058DB88509
                                                                                                                                                                                                                SHA-256:CC68860A21A25EDB4BDE922B5E4C1AC0D9735D5E189387E8CDC2466EEE8DEDFE
                                                                                                                                                                                                                SHA-512:EE25B64D8221DAAFABA5908002725D8A9E5D851CC77D752C66A5572773A9F087C210D9C53CBC1A63C0BEFE99616D27D1373170BD6716BEC743ADD7BE5C66E07E
                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                General

                                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                Entropy (8bit):5.081980617965222
                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                File name:nXkktDu3Fp.exe
                                                                                                                                                                                                                File size:307'712 bytes
                                                                                                                                                                                                                MD5:3823f08e6d1a00d78f0c51e1ecd75803
                                                                                                                                                                                                                SHA1:bcec5c797faf738920070f42a97f46726d01cedd
                                                                                                                                                                                                                SHA256:6cdd01dc1dda6872082866f07b2310ad1440da47bca77c48c3f47d10b87f8305
                                                                                                                                                                                                                SHA512:001311b50ba10ba3f509b70212794786dcb4f1eb1429194d892b288827783d8ae8eb1fe4dce7f0749c32a7dbfa5555963cde7ae48db6abcec3b4a0c1c16a14ee
                                                                                                                                                                                                                SSDEEP:3072:ScZqf7D341p/0+mA2kyY6sQQgINB1fA0PuTVAtkxzy3RkeqiOL2bBOA:ScZqf7DIvn2HAB1fA0GTV8kAML
                                                                                                                                                                                                                TLSH:AF645A5833E8C910DA7F4775D861D67093B0BCA3A552E70B4FC4ACAB3D32740EA51AB6
                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@................................

                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                Icon Hash:4d8ea38d85a38e6d

                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Entrypoint:0x4302ce
                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                Time Stamp:0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x302740x57.text
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x1c9c6.rsrc
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000xc.reloc
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                .text0x20000x2e2d40x2e400c28b6e25653744c58f6a215921b90ea4False0.4749736064189189data6.18708924243235IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                .rsrc0x320000x1c9c60x1ca00a8cf3f8ff27a4a736ba8fb433d91107fFalse0.2380765556768559data2.615031395625776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                .reloc0x500000xc0x200951c0304dce84311b97d3da9b0180199False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                RT_ICON0x322200x3d04PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9934058898847631
                                                                                                                                                                                                                RT_ICON0x35f240x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.09013072282030049
                                                                                                                                                                                                                RT_ICON0x4674c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.13905290505432216
                                                                                                                                                                                                                RT_ICON0x4a9740x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.17033195020746889
                                                                                                                                                                                                                RT_ICON0x4cf1c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.2045028142589118
                                                                                                                                                                                                                RT_ICON0x4dfc40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.24645390070921985
                                                                                                                                                                                                                RT_GROUP_ICON0x4e42c0x5adata0.7666666666666667
                                                                                                                                                                                                                RT_VERSION0x4e4880x352data0.4447058823529412
                                                                                                                                                                                                                RT_MANIFEST0x4e7dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                2024-12-31T15:02:23.393641+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:23.393641+01002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:23.613370+01002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1185.81.68.1471912192.168.2.749748TCP
                                                                                                                                                                                                                2024-12-31T15:02:28.704717+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:29.416513+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:29.421595+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1185.81.68.1471912192.168.2.749748TCP
                                                                                                                                                                                                                2024-12-31T15:02:29.641157+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:29.932078+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:30.288762+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:30.514710+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:30.735115+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:30.962613+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:31.232852+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:31.476450+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:32.124057+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:32.129104+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:33.214065+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:33.521094+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:33.742493+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:35.126209+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:35.350872+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:35.599047+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:35.878864+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:36.293448+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:36.513469+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:36.733895+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP
                                                                                                                                                                                                                2024-12-31T15:02:36.989945+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.749748185.81.68.1471912TCP

                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                Dec 31, 2024 15:02:22.281886101 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:22.286715984 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:22.287205935 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:22.296061039 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:22.300853014 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:22.998785973 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:23.050244093 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:23.393640995 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:23.398504019 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:23.613369942 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:23.659571886 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:28.704716921 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:28.709551096 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:28.925425053 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:28.925441027 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:28.925517082 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:28.925576925 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:28.925590038 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:28.925604105 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:28.925616026 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:28.925643921 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:28.925682068 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.416512966 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.421595097 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.637861967 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.641156912 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.645953894 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.860482931 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.909616947 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.932077885 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.938740015 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.938755035 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.938817024 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.938848019 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.939800978 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.940109968 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.940403938 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.940562963 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.940730095 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.941443920 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.941454887 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.941463947 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.941474915 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.946768045 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.946779966 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.946789980 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:29.946794033 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.279182911 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.288762093 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.293569088 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.508070946 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.514709949 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.519556999 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.734061956 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.735115051 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.739864111 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.954547882 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.962613106 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.967447042 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.967458010 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.967469931 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.967598915 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.967608929 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:30.967643023 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:31.191323996 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:31.232851982 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:31.237694979 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:31.464308977 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:31.476449966 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:31.481225014 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:31.699359894 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:31.753382921 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.124057055 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129035950 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129056931 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129103899 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129127026 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129168987 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129214048 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129240036 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129266024 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129287958 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129301071 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129332066 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129333019 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129345894 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129354000 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129359961 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129374027 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129395008 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129410982 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129414082 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129426956 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129451990 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129465103 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129467010 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129503965 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129517078 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129518032 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129535913 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129564047 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129595041 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129678011 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129709005 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129720926 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129729033 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129755020 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129762888 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129775047 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129796982 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129822016 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129832029 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129858971 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129868031 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129882097 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129926920 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129929066 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.129976988 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.133933067 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.133969069 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.133982897 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.133996964 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134000063 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134013891 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134025097 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134051085 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134076118 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134078979 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134172916 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134212971 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134227037 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134269953 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134289026 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134346008 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134358883 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134387016 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134393930 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134413958 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134418011 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134430885 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134469032 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134486914 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134519100 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134531975 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134588003 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134602070 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134629011 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134643078 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134654999 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134670019 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134694099 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134713888 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134768963 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134780884 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134787083 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134824991 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134850025 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134862900 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134865046 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134874105 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134901047 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134927988 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134939909 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134943008 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134958982 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134972095 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134987116 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.134996891 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135008097 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135030985 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135039091 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135044098 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135051966 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135076046 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135077000 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135090113 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135113955 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135127068 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135154009 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135166883 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135200024 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135211945 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135242939 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135267019 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135279894 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135292053 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135324955 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135338068 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.135353088 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.138876915 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.138895035 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.138933897 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.138994932 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139087915 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139101028 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139132977 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139146090 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139189005 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139199972 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139240026 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139251947 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139281988 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139305115 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139455080 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139513016 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139523983 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139575005 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139588118 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139601946 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139645100 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139657974 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139758110 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139884949 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139916897 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139950991 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.139991999 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140048027 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140171051 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140183926 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140198946 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140218973 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140233994 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140306950 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140463114 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140476942 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140502930 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140518904 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140607119 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140620947 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140644073 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140657902 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140691996 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140703917 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140795946 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140809059 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140943050 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.140954971 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141102076 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141114950 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141127110 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141139984 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141153097 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141166925 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141190052 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141201973 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141208887 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141221046 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141244888 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141258001 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141280890 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141294003 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141371965 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141426086 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141438007 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141449928 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141494036 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141506910 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141520023 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141532898 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141556978 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141570091 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141594887 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141608000 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141623020 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141634941 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141735077 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141907930 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.141964912 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.144794941 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.144813061 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.144984961 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.144999981 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145212889 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145226955 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145318031 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145332098 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145433903 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145481110 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145638943 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145652056 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145693064 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145706892 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145729065 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145741940 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145764112 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145777941 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145802975 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145816088 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145838022 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145849943 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145885944 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145899057 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145982981 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.145998955 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146025896 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146039009 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146075964 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146087885 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146219015 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146231890 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146255016 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146265984 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146327972 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146339893 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146364927 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146379948 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146394014 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146416903 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146477938 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146491051 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146514893 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146528959 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146600008 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146612883 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146626949 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146640062 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146662951 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146676064 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146692038 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146716118 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146753073 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146845102 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146912098 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.146987915 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147000074 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147072077 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147097111 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147114038 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147181034 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147202015 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147214890 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147238016 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147252083 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147285938 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147300005 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147402048 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147413969 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147429943 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147454977 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147468090 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147490978 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147505045 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147516966 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147548914 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147562027 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147573948 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147598982 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147613049 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147659063 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147672892 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147743940 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147756100 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147825003 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147839069 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147850990 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147874117 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147886038 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147922039 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147936106 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147948027 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147969961 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.147981882 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148053885 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148066998 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148088932 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148102045 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148125887 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148139000 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148150921 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148164034 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148180008 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148253918 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148267984 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148279905 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148315907 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148329020 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148374081 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148555994 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.148621082 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152013063 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152069092 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152081966 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152148962 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152162075 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152187109 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152199984 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152225971 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152237892 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152251959 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152399063 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152532101 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152559996 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152628899 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152642012 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152668953 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152682066 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152801037 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152813911 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152829885 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152854919 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152868032 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152879953 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152904034 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152918100 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152940035 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152954102 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.152991056 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153003931 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153028011 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153040886 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153079987 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153091908 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153106928 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153121948 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153187037 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153199911 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153264046 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153278112 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153307915 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153321028 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153414011 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153426886 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153511047 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153523922 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153546095 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153558969 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153611898 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153625011 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153647900 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153661013 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153786898 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153801918 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153815031 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153826952 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153841019 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153865099 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153878927 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153891087 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153903008 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153928041 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153939962 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153976917 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153990030 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.153996944 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154016972 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154030085 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154042006 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154046059 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154058933 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154078960 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154090881 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154191971 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154227018 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154311895 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154324055 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154359102 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154371977 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154412031 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154424906 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154439926 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154468060 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154521942 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154534101 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154556036 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154570103 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154592991 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154604912 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154675961 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154687881 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154730082 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154742956 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154766083 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154778957 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154803038 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154815912 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154856920 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154869080 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154931068 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.154952049 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155014038 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155026913 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155042887 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155066967 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155080080 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155108929 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155121088 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155133963 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155164003 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155179977 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155345917 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.155395985 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.158910990 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.158929110 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.158948898 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.158958912 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.158968925 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159053087 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159063101 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159071922 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159081936 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159138918 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159147978 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159157038 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159167051 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159210920 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159220934 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159229994 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159240961 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159260035 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159270048 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159279108 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159297943 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159308910 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159388065 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159398079 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159410954 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159478903 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159492016 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159502983 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159524918 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159538031 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159559011 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159570932 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159617901 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159631014 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159707069 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159718990 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159759998 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159853935 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159868956 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159882069 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159898043 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.159950972 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160006046 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160017967 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160089970 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160104036 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160164118 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160254955 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160268068 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160279036 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160294056 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160382986 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160397053 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160408974 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160430908 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160443068 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160485029 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160497904 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160547018 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160559893 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160618067 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160643101 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160706043 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160713911 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160718918 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160744905 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160758018 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160784006 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160803080 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160815001 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160877943 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160892010 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160907984 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160922050 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160944939 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160959005 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.160990000 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161043882 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161056042 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161067009 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161094904 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161109924 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161134005 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161145926 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161159039 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161170959 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161195040 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161206961 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161259890 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161273003 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161283970 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161295891 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161312103 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161324024 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161392927 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161416054 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.161463976 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.206499100 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.368096113 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.368328094 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.369322062 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373753071 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373764038 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373778105 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373799086 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373810053 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373856068 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373866081 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373884916 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373893976 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373941898 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373951912 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373970032 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.373979092 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374006033 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374020100 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374047995 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374058008 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374094009 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374104977 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374114990 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374125957 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374145031 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374155998 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374167919 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374188900 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374241114 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374250889 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374272108 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374289989 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:32.374427080 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.087018013 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.128350019 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.214065075 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.225552082 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.433705091 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.487780094 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.521094084 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.525922060 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.740499020 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.742492914 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.747297049 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:33.961620092 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:34.003448009 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.126209021 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.131056070 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.345850945 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.350872040 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.355695009 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.570389032 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.599046946 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.603923082 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.820322037 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.820333958 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.820386887 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.820441008 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.820460081 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.820472002 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.820542097 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.820866108 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.820926905 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.820934057 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.862792969 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.878864050 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:35.883666992 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:36.290112972 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:36.293447971 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:36.298295975 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:36.512959957 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:36.513468981 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:36.518332958 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:36.733038902 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:36.733895063 CET497481912192.168.2.7185.81.68.147
                                                                                                                                                                                                                Dec 31, 2024 15:02:36.738799095 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:36.953511953 CET191249748185.81.68.147192.168.2.7
                                                                                                                                                                                                                Dec 31, 2024 15:02:36.989944935 CET497481912192.168.2.7185.81.68.147

                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                General

                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                Start time:09:02:20
                                                                                                                                                                                                                Start date:31/12/2024
                                                                                                                                                                                                                Path:C:\Users\user\Desktop\nXkktDu3Fp.exe
                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\nXkktDu3Fp.exe"
                                                                                                                                                                                                                Imagebase:0xf60000
                                                                                                                                                                                                                File size:307'712 bytes
                                                                                                                                                                                                                MD5 hash:3823F08E6D1A00D78F0C51E1ECD75803
                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.1372359478.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1532091673.00000000033D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                  Execution Coverage:8.1%
                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                  Total number of Nodes:57
                                                                                                                                                                                                                  Total number of Limit Nodes:5
                                                                                                                                                                                                                  execution_graph 30686 14ed01c 30687 14ed034 30686->30687 30688 14ed08e 30687->30688 30691 5850ad4 30687->30691 30695 5852c08 30687->30695 30692 5850adf 30691->30692 30694 5852c69 30692->30694 30699 5850bfc 30692->30699 30696 5852c0c 30695->30696 30697 5850bfc CallWindowProcW 30696->30697 30698 5852c69 30696->30698 30697->30698 30700 5850c07 30699->30700 30701 585435a CallWindowProcW 30700->30701 30702 5854309 30700->30702 30701->30702 30702->30694 30703 5854291 30704 5850bfc CallWindowProcW 30703->30704 30705 58542aa 30704->30705 30654 190d0b8 30655 190d0bd 30654->30655 30659 190d298 30655->30659 30663 190d289 30655->30663 30656 190d1eb 30660 190d29d 30659->30660 30667 190c9a0 30660->30667 30664 190d298 30663->30664 30665 190c9a0 DuplicateHandle 30664->30665 30666 190d2c6 30665->30666 30666->30656 30668 190d300 DuplicateHandle 30667->30668 30670 190d2c6 30668->30670 30670->30656 30671 190ad38 30672 190ad39 30671->30672 30676 190ae30 30672->30676 30681 190ae20 30672->30681 30673 190ad47 30678 190ae31 30676->30678 30677 190ae64 30677->30673 30678->30677 30679 190b068 GetModuleHandleW 30678->30679 30680 190b095 30679->30680 30680->30673 30683 190ae24 30681->30683 30682 190ae64 30682->30673 30683->30682 30684 190b068 GetModuleHandleW 30683->30684 30685 190b095 30684->30685 30685->30673 30706 1904668 30707 1904669 30706->30707 30708 1904696 30707->30708 30710 19047a0 30707->30710 30711 19047a4 30710->30711 30715 19048b0 30711->30715 30719 19048a1 30711->30719 30717 19048b1 30715->30717 30716 19049b4 30716->30716 30717->30716 30723 1904248 30717->30723 30721 19048a4 30719->30721 30720 19049b4 30721->30720 30722 1904248 CreateActCtxA 30721->30722 30722->30720 30724 1905940 CreateActCtxA 30723->30724 30726 1905a03 30724->30726

                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                  Function 0585EFF8 Relevance: 1.2, Instructions: 1235COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1543634103.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_5850000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 94089eb09f515fd7776c7df4792de18e482e0acc5f56d7f989c861737d41cebb
                                                                                                                                                                                                                  • Instruction ID: 17b91e7c27a68732e28f52405839aaaf5023b147bc73f577c2e5876f8b69a3e2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 94089eb09f515fd7776c7df4792de18e482e0acc5f56d7f989c861737d41cebb
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51928170B102058FDB159BB998A473E7AF7FFC8610F684829E906DB395DE74DC028B91
                                                                                                                                                                                                                  Function 058589E0 Relevance: .3, Instructions: 293COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1543634103.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_5850000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: b30e3b249cfedea74ceb19eee4a7627e67044fb361e219d7082c9dab3625e8db
                                                                                                                                                                                                                  • Instruction ID: 028b4a355b12fc4946633d6c54c4ab7c6f12aec13c1ef614da5efb498d09d260
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b30e3b249cfedea74ceb19eee4a7627e67044fb361e219d7082c9dab3625e8db
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DD1E474910318CFCB14DFB4D855A9DBBB2FF8A302F6485A9E40AAB254DF31A985CF11
                                                                                                                                                                                                                  Function 058589F0 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1543634103.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_5850000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 3bd11d14eac2cc398c551bc448ae6b8193720791325ae405027a26fd63238e4c
                                                                                                                                                                                                                  • Instruction ID: 22dc4688b358f3862c40e80a121b1fcef04fd67e79f47b6103d1f71e590a74be
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3bd11d14eac2cc398c551bc448ae6b8193720791325ae405027a26fd63238e4c
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3DD1D574910318CFCB14DFB4D85569DBBB2FF8A302F6085A9E41AAB254DF31A985CF11
                                                                                                                                                                                                                  Function 0190AE30 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 361 190ae30-190ae3f 363 190ae41-190ae4e call 1909838 361->363 364 190ae6b-190ae6f 361->364 371 190ae50 363->371 372 190ae64 363->372 365 190ae71-190ae7b 364->365 366 190ae83-190aec4 364->366 365->366 373 190aed1-190aedf 366->373 374 190aec6-190aece 366->374 425 190ae56 call 190b0b8 371->425 426 190ae56 call 190b0c8 371->426 372->364 376 190aee1-190aee6 373->376 377 190af03-190af05 373->377 374->373 375 190ae5c-190ae5e 375->372 378 190afa0-190afb7 375->378 380 190aef1 376->380 381 190aee8-190aeef call 190a814 376->381 379 190af08-190af0f 377->379 395 190afb9-190b018 378->395 383 190af11-190af19 379->383 384 190af1c-190af23 379->384 382 190aef3-190af01 380->382 381->382 382->379 383->384 387 190af30-190af39 call 190a824 384->387 388 190af25-190af2d 384->388 393 190af46-190af4b 387->393 394 190af3b-190af43 387->394 388->387 396 190af69-190af76 393->396 397 190af4d-190af54 393->397 394->393 413 190b01a 395->413 404 190af78-190af96 396->404 405 190af99-190af9f 396->405 397->396 398 190af56-190af66 call 190a834 call 190a844 397->398 398->396 404->405 414 190b021-190b024 413->414 415 190b01c 413->415 416 190b025-190b046 414->416 417 190b048-190b060 415->417 418 190b01e 415->418 416->417 419 190b062-190b065 417->419 420 190b068-190b093 GetModuleHandleW 417->420 418->416 421 190b020 418->421 419->420 422 190b095-190b09b 420->422 423 190b09c-190b0b0 420->423 421->414 422->423 425->375 426->375
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0190B086
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1531398633.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_1900000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                  • Opcode ID: e57b0c3777a39baac071c015e9d75cb635f7de50d7a7bd893d8c60a9907146b9
                                                                                                                                                                                                                  • Instruction ID: b3f4762e8482c7cb61f56d27a321bb58a4c372985086ec241ce7730028c3e048
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e57b0c3777a39baac071c015e9d75cb635f7de50d7a7bd893d8c60a9907146b9
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA816CB0A00B058FDB25DF69D04475ABBF5FF88304F00892ED59ADBA90D775E84ACB91
                                                                                                                                                                                                                  Function 01905935 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 427 1905935-1905936 428 1905938-190593a 427->428 429 190593d 427->429 430 1905941-1905a01 CreateActCtxA 428->430 431 190593c 428->431 429->430 433 1905a03-1905a09 430->433 434 1905a0a-1905a64 430->434 431->429 433->434 441 1905a73-1905a77 434->441 442 1905a66-1905a69 434->442 443 1905a88 441->443 444 1905a79-1905a85 441->444 442->441 446 1905a89 443->446 444->443 446->446
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 019059F1
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1531398633.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_1900000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                  • Opcode ID: 40b5fbaff96cb2dd944ae590e597ffc33a59e22b6300dcc02cc273a0f6777d89
                                                                                                                                                                                                                  • Instruction ID: 8150e44df8ef566f9a8d1d4a369620cfd5c917c40172fb3672070a1d91689953
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 40b5fbaff96cb2dd944ae590e597ffc33a59e22b6300dcc02cc273a0f6777d89
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E41E2B0C00719CFEB25CFA9C884B8DBBB5FF49304F24805AD518AB251D7756985CF90
                                                                                                                                                                                                                  Function 05850BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 447 5850bfc-58542fc 450 5854302-5854307 447->450 451 58543ac-58543cc call 5850ad4 447->451 452 5854309-5854340 450->452 453 585435a-5854392 CallWindowProcW 450->453 459 58543cf-58543dc 451->459 461 5854342-5854348 452->461 462 5854349-5854358 452->462 455 5854394-585439a 453->455 456 585439b-58543aa 453->456 455->456 456->459 461->462 462->459
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 05854381
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1543634103.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_5850000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: CallProcWindow
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2714655100-0
                                                                                                                                                                                                                  • Opcode ID: ee679a9e4bae7d37301d865b46c48d5aee796c69f7a693024e4a2108d16e9654
                                                                                                                                                                                                                  • Instruction ID: a3701d555498407ec2a437fd39c6991cc44699a95f924d59e2c306dc767a2fd9
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ee679a9e4bae7d37301d865b46c48d5aee796c69f7a693024e4a2108d16e9654
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 854129B5900309DFDB14CF99C448EAABBF5FF88324F148459E919AB321D334A845CBA0
                                                                                                                                                                                                                  Function 01904248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 464 1904248-1905a01 CreateActCtxA 468 1905a03-1905a09 464->468 469 1905a0a-1905a64 464->469 468->469 476 1905a73-1905a77 469->476 477 1905a66-1905a69 469->477 478 1905a88 476->478 479 1905a79-1905a85 476->479 477->476 481 1905a89 478->481 479->478 481->481
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 019059F1
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1531398633.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_1900000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                  • Opcode ID: c3757a2df0ebd5f0fb1b83a0b67749e68999dc004343d9d4fd0d6a729648159e
                                                                                                                                                                                                                  • Instruction ID: a93ee011e467a3301c70d17ab0df79bc952a7d406d37346d04bbc3b078567139
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3757a2df0ebd5f0fb1b83a0b67749e68999dc004343d9d4fd0d6a729648159e
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5241CFB0C00718CFEB25CFA9C884B9DBBB5FF49304F20806AD508AB251DB756945CF90
                                                                                                                                                                                                                  Function 0190C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 482 190c9a0-190d394 DuplicateHandle 485 190d396-190d39c 482->485 486 190d39d-190d3ba 482->486 485->486
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0190D2C6,?,?,?,?,?), ref: 0190D387
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1531398633.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_1900000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                                                                  • Opcode ID: cbee2679718008d7cb718f4279bf417151749e15eeda913d32616015007405ed
                                                                                                                                                                                                                  • Instruction ID: 755c50350541cdb7340409b02ac2e4fc2450b2814f94996fdebd989ac75891a1
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cbee2679718008d7cb718f4279bf417151749e15eeda913d32616015007405ed
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F421D4B5900348EFDB10CF9AD584ADEFBF4EB48214F14841AE918A7350D374A954CFA5
                                                                                                                                                                                                                  Function 0190D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 489 190d2f9-190d2fe 490 190d300-190d304 489->490 491 190d305-190d394 DuplicateHandle 489->491 490->491 492 190d396-190d39c 491->492 493 190d39d-190d3ba 491->493 492->493
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0190D2C6,?,?,?,?,?), ref: 0190D387
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1531398633.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_1900000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                                                                  • Opcode ID: 331c18dd81c1d5373effcf5c1989bdcd256f6f24c551968e2d5b369ff3028d59
                                                                                                                                                                                                                  • Instruction ID: a881c86462b76cd0f5404f8cb8702475e15bd1d4efee8afa0e99f4349add1a99
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 331c18dd81c1d5373effcf5c1989bdcd256f6f24c551968e2d5b369ff3028d59
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6021D2B5D00248EFDB10CF9AD984ADEBBF8EB48214F14801AE918A7250D378A944CFA5
                                                                                                                                                                                                                  Function 0190B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                  control_flow_graph 496 190b020-190b060 500 190b062-190b065 496->500 501 190b068-190b093 GetModuleHandleW 496->501 500->501 502 190b095-190b09b 501->502 503 190b09c-190b0b0 501->503 502->503
                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0190B086
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1531398633.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_1900000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                  • Opcode ID: 14e1784f023789958df96dd3f361ac6a526eeff6a68fd4298c5a4c51349cb660
                                                                                                                                                                                                                  • Instruction ID: 5571beb86941d471100c6c499431a7af1e1d95adc044a040c2f4d81609eddca4
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 14e1784f023789958df96dd3f361ac6a526eeff6a68fd4298c5a4c51349cb660
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42110FB6C00749CFEB24CF9AC544BDEFBF8EB88210F10841AD569A7650C379A545CFA1
                                                                                                                                                                                                                  Function 014DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1530655563.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_14dd000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 8568ca5a7bf7e195e12216208d4eb954a86ca837ff60394b2e29bbfd20fde4b8
                                                                                                                                                                                                                  • Instruction ID: 40330145f3749408cd14b0141efb305e47a7ab7f98002eb4cd4867e8e37dd789
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8568ca5a7bf7e195e12216208d4eb954a86ca837ff60394b2e29bbfd20fde4b8
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B121F472900204EFDF15DF54D9C0B66BB65FB84324F20C57EE9090B2A6C336E456CAA2
                                                                                                                                                                                                                  Function 014ED01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1530700818.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_14ed000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: b89c64a0f467d7e8f659aefb9b0620506b073f614d4325916ae49789fc9d8639
                                                                                                                                                                                                                  • Instruction ID: ba01def87cd46a8dc2e0a159b2fca43eb1da5a80629ef9637ff396f9a760c628
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b89c64a0f467d7e8f659aefb9b0620506b073f614d4325916ae49789fc9d8639
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E82106B1904200DFDB15DF54D588B16BFA1FB84319F28C56ED90A0B3A6C336D407CA61
                                                                                                                                                                                                                  Function 014ED006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1530700818.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_14ed000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: b917d1456fd132d673e557b93206d98c8e36cb0768cdf227ebe639e198f4b415
                                                                                                                                                                                                                  • Instruction ID: 8e55c36753d201a92b7fea55bed99c6d02895c0e9e7cdf676bd552c137a109d8
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b917d1456fd132d673e557b93206d98c8e36cb0768cdf227ebe639e198f4b415
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4121B3755093808FCB02CF24D594712BFB1EF46214F28C5DBD8498F6A3C33A980ACB62
                                                                                                                                                                                                                  Function 014DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1530655563.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_14dd000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                                                                                                                                                                                                  • Instruction ID: a5815d12db6f8e172e6a993b61caaefbb53b0d60aee79770efb3a4a373769491
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5511C072804240DFDF16CF44D5C0B56BF61FB84324F2486AAD9090B6A7C33AE456CBA1
                                                                                                                                                                                                                  Function 014DD9D9 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1530655563.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_14dd000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 4c18aa1f05b3cab1e25d0f41e955a33a91126b1dcbef5b9513f70ab56667d110
                                                                                                                                                                                                                  • Instruction ID: 8b6b915136dd0fb72d336fe578534f63313cc6945a1a6e0a3405513df2f047d5
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c18aa1f05b3cab1e25d0f41e955a33a91126b1dcbef5b9513f70ab56667d110
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4201F7319083409BFF204AAAC884767BF98DF41620F08C55BED080E3D7C2759845CA73
                                                                                                                                                                                                                  Function 014DD9D8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1530655563.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_14dd000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 632d4563913df8181ac187bea8708dd492ca4cb75a1554d7305ad2aad2b44f27
                                                                                                                                                                                                                  • Instruction ID: 41c28ae51fbef6ade7d03a11a94a32a5fcb59fa36b06c3534a3580a0f1a8d0a2
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 632d4563913df8181ac187bea8708dd492ca4cb75a1554d7305ad2aad2b44f27
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78F06271408344AEEB248A5AD984B63FF98EB41624F18C55AED084F7D7C2799844CA72

                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                  Function 05850040 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1543634103.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_5850000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: dae8f3ad59f3034f8c409afde646bff62dc58ea880ec1ed27fc63d17397035a7
                                                                                                                                                                                                                  • Instruction ID: 51d1d62f6b340555a93705bf09e2efeb1cd9e5f0e3341690e782dbd47d04a68c
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dae8f3ad59f3034f8c409afde646bff62dc58ea880ec1ed27fc63d17397035a7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3612ABB0401749ABD338EF25ECCC199BB76B76A324F904609D1611B2D9E7B411FACF64
                                                                                                                                                                                                                  Function 0190DC74 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1531398633.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_1900000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: 6cf41f9fdf827e4142d884a3268141cbe22c5a52d5717183b5664cc0f14901c7
                                                                                                                                                                                                                  • Instruction ID: 93a6b50820407e177571ff622011c6b7e51c8b048c7ba7411a8c91e35cc747d7
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cf41f9fdf827e4142d884a3268141cbe22c5a52d5717183b5664cc0f14901c7
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56A18132E00216CFCF16DFB8C4445DEBBB6FF84301B15856AE909AB295DB71EA55CB80
                                                                                                                                                                                                                  Function 05850007 Relevance: .2, Instructions: 239COMMON
                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                  • Source File: 00000000.00000002.1543634103.0000000005850000.00000040.00000800.00020000.00000000.sdmp, Offset: 05850000, based on PE: false
                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_5850000_nXkktDu3Fp.jbxd
                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                  • Opcode ID: d80c5c766ecf06d5bc4eead471066a687c646faeecd80837679175060c9facab
                                                                                                                                                                                                                  • Instruction ID: f460e2d11e6ab3a7de981458200f25460b0ad5ac97a995b5fe3787d07a849368
                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d80c5c766ecf06d5bc4eead471066a687c646faeecd80837679175060c9facab
                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6FC161B0401749AFD328EF24EC88199BB76BBAB324F504609D1506F2D9EB7414EACF64