Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Implosions.exe

Overview

General Information

Sample name:Implosions.exe
Analysis ID:1639986
MD5:1de3d44fc259e585d924d872d8224972
SHA1:d81dc1f25ea3df6dc4d2fb6520491721594fbe96
SHA256:3ef92d70a248a8e1b1cda278e99f80fa7e66c6c89cbb90c6d3b295faff061b5a
Tags:exeuser-BastianHein
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Joe Sandbox ML detected suspicious sample
Uses known network protocols on non-standard ports
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • Implosions.exe (PID: 6364 cmdline: "C:\Users\user\Desktop\Implosions.exe" MD5: 1DE3D44FC259E585D924D872D8224972)
    • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{
  "C2 url": [
    "209.38.151.4:55123"
  ],
  "Bot Id": "vex4you"
}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Implosions.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Implosions.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      Implosions.exeWindows_Trojan_RedLineStealer_f54632ebunknownunknown
      • 0x135ca:$a4: get_ScannedWallets
      • 0x12428:$a5: get_ScanTelegram
      • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
      • 0x1106a:$a7: <Processes>k__BackingField
      • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
      • 0x1099e:$a9: <ScanFTP>k__BackingField
      Implosions.exeinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
      • 0x119cb:$gen01: ChromeGetRoamingName
      • 0x119ff:$gen02: ChromeGetLocalName
      • 0x11a28:$gen03: get_UserDomainName
      • 0x13c67:$gen04: get_encrypted_key
      • 0x131e3:$gen05: browserPaths
      • 0x1352b:$gen06: GetBrowsers
      • 0x12e61:$gen07: get_InstalledInputLanguages
      • 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
      • 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
      • 0x9118:$spe6: windows-1251, CommandLine:
      • 0x143bf:$spe9: *wallet*
      • 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20
      • 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
      • 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042
      • 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
      • 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63
      • 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
      • 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
      • 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
      • 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2
      • 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
      Implosions.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1048a:$u7: RunPE
      • 0x13b41:$u8: DownloadAndEx
      • 0x9130:$pat14: , CommandLine:
      • 0x13079:$v2_1: ListOfProcesses
      • 0x1068b:$v2_2: get_ScanVPN
      • 0x1072e:$v2_2: get_ScanFTP
      • 0x1141e:$v2_2: get_ScanDiscord
      • 0x1240c:$v2_2: get_ScanSteam
      • 0x12428:$v2_2: get_ScanTelegram
      • 0x124ce:$v2_2: get_ScanScreen
      • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
      • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
      • 0x13509:$v2_2: get_ScanBrowsers
      • 0x135ca:$v2_2: get_ScannedWallets
      • 0x135f0:$v2_2: get_ScanWallets
      • 0x13610:$v2_3: GetArguments
      • 0x11cd9:$v2_4: VerifyUpdate
      • 0x165ee:$v2_4: VerifyUpdate
      • 0x139ca:$v2_5: VerifyScanRequest
      • 0x130c6:$v2_6: GetUpdates
      • 0x165cf:$v2_6: GetUpdates

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x133ca:$a4: get_ScannedWallets
          • 0x12228:$a5: get_ScanTelegram
          • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
          • 0x10e6a:$a7: <Processes>k__BackingField
          • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x1079e:$a9: <ScanFTP>k__BackingField
          Process Memory Space: Implosions.exe PID: 6364JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: Implosions.exe PID: 6364JoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.Implosions.exe.2f0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.0.Implosions.exe.2f0000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.0.Implosions.exe.2f0000.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x135ca:$a4: get_ScannedWallets
                  • 0x12428:$a5: get_ScanTelegram
                  • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
                  • 0x1106a:$a7: <Processes>k__BackingField
                  • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0x1099e:$a9: <ScanFTP>k__BackingField
                  0.0.Implosions.exe.2f0000.0.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                  • 0x119cb:$gen01: ChromeGetRoamingName
                  • 0x119ff:$gen02: ChromeGetLocalName
                  • 0x11a28:$gen03: get_UserDomainName
                  • 0x13c67:$gen04: get_encrypted_key
                  • 0x131e3:$gen05: browserPaths
                  • 0x1352b:$gen06: GetBrowsers
                  • 0x12e61:$gen07: get_InstalledInputLanguages
                  • 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                  • 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                  • 0x9118:$spe6: windows-1251, CommandLine:
                  • 0x143bf:$spe9: *wallet*
                  • 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20
                  • 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                  • 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                  • 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                  • 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63
                  • 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                  • 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                  • 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                  • 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2
                  • 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                  0.0.Implosions.exe.2f0000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1048a:$u7: RunPE
                  • 0x13b41:$u8: DownloadAndEx
                  • 0x9130:$pat14: , CommandLine:
                  • 0x13079:$v2_1: ListOfProcesses
                  • 0x1068b:$v2_2: get_ScanVPN
                  • 0x1072e:$v2_2: get_ScanFTP
                  • 0x1141e:$v2_2: get_ScanDiscord
                  • 0x1240c:$v2_2: get_ScanSteam
                  • 0x12428:$v2_2: get_ScanTelegram
                  • 0x124ce:$v2_2: get_ScanScreen
                  • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x13509:$v2_2: get_ScanBrowsers
                  • 0x135ca:$v2_2: get_ScannedWallets
                  • 0x135f0:$v2_2: get_ScanWallets
                  • 0x13610:$v2_3: GetArguments
                  • 0x11cd9:$v2_4: VerifyUpdate
                  • 0x165ee:$v2_4: VerifyUpdate
                  • 0x139ca:$v2_5: VerifyScanRequest
                  • 0x130c6:$v2_6: GetUpdates
                  • 0x165cf:$v2_6: GetUpdates

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-16T19:57:11.193787+010028496621Malware Command and Control Activity Detected192.168.2.849682209.38.151.455123TCP
                  2025-03-16T19:57:17.801349+010028496621Malware Command and Control Activity Detected192.168.2.849683209.38.151.455123TCP
                  2025-03-16T19:57:24.583200+010028496621Malware Command and Control Activity Detected192.168.2.849684209.38.151.455123TCP
                  2025-03-16T19:57:31.217197+010028496621Malware Command and Control Activity Detected192.168.2.849690209.38.151.455123TCP
                  2025-03-16T19:57:37.840316+010028496621Malware Command and Control Activity Detected192.168.2.849691209.38.151.455123TCP
                  2025-03-16T19:57:44.479821+010028496621Malware Command and Control Activity Detected192.168.2.849692209.38.151.455123TCP
                  2025-03-16T19:57:51.090868+010028496621Malware Command and Control Activity Detected192.168.2.849696209.38.151.455123TCP
                  2025-03-16T19:57:57.695871+010028496621Malware Command and Control Activity Detected192.168.2.849699209.38.151.455123TCP
                  2025-03-16T19:58:04.306340+010028496621Malware Command and Control Activity Detected192.168.2.849700209.38.151.455123TCP
                  2025-03-16T19:58:10.922094+010028496621Malware Command and Control Activity Detected192.168.2.849702209.38.151.455123TCP
                  2025-03-16T19:58:17.506258+010028496621Malware Command and Control Activity Detected192.168.2.849703209.38.151.455123TCP
                  2025-03-16T19:58:24.120709+010028496621Malware Command and Control Activity Detected192.168.2.849704209.38.151.455123TCP
                  2025-03-16T19:58:30.733658+010028496621Malware Command and Control Activity Detected192.168.2.849705209.38.151.455123TCP
                  2025-03-16T19:58:37.340576+010028496621Malware Command and Control Activity Detected192.168.2.849706209.38.151.455123TCP
                  2025-03-16T19:58:43.966020+010028496621Malware Command and Control Activity Detected192.168.2.849707209.38.151.455123TCP
                  2025-03-16T19:58:50.725226+010028496621Malware Command and Control Activity Detected192.168.2.849708209.38.151.455123TCP
                  2025-03-16T19:58:57.320546+010028496621Malware Command and Control Activity Detected192.168.2.849709209.38.151.455123TCP
                  2025-03-16T19:59:03.915634+010028496621Malware Command and Control Activity Detected192.168.2.849710209.38.151.455123TCP
                  2025-03-16T19:59:10.509319+010028496621Malware Command and Control Activity Detected192.168.2.849711209.38.151.455123TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-16T19:57:11.193787+010018000001Malware Command and Control Activity Detected192.168.2.849682209.38.151.455123TCP
                  2025-03-16T19:57:17.801349+010018000001Malware Command and Control Activity Detected192.168.2.849683209.38.151.455123TCP
                  2025-03-16T19:57:24.583200+010018000001Malware Command and Control Activity Detected192.168.2.849684209.38.151.455123TCP
                  2025-03-16T19:57:31.217197+010018000001Malware Command and Control Activity Detected192.168.2.849690209.38.151.455123TCP
                  2025-03-16T19:57:37.840316+010018000001Malware Command and Control Activity Detected192.168.2.849691209.38.151.455123TCP
                  2025-03-16T19:57:44.479821+010018000001Malware Command and Control Activity Detected192.168.2.849692209.38.151.455123TCP
                  2025-03-16T19:57:51.090868+010018000001Malware Command and Control Activity Detected192.168.2.849696209.38.151.455123TCP
                  2025-03-16T19:57:57.695871+010018000001Malware Command and Control Activity Detected192.168.2.849699209.38.151.455123TCP
                  2025-03-16T19:58:04.306340+010018000001Malware Command and Control Activity Detected192.168.2.849700209.38.151.455123TCP
                  2025-03-16T19:58:10.922094+010018000001Malware Command and Control Activity Detected192.168.2.849702209.38.151.455123TCP
                  2025-03-16T19:58:17.506258+010018000001Malware Command and Control Activity Detected192.168.2.849703209.38.151.455123TCP
                  2025-03-16T19:58:24.120709+010018000001Malware Command and Control Activity Detected192.168.2.849704209.38.151.455123TCP
                  2025-03-16T19:58:30.733658+010018000001Malware Command and Control Activity Detected192.168.2.849705209.38.151.455123TCP
                  2025-03-16T19:58:37.340576+010018000001Malware Command and Control Activity Detected192.168.2.849706209.38.151.455123TCP
                  2025-03-16T19:58:43.966020+010018000001Malware Command and Control Activity Detected192.168.2.849707209.38.151.455123TCP
                  2025-03-16T19:58:50.725226+010018000001Malware Command and Control Activity Detected192.168.2.849708209.38.151.455123TCP
                  2025-03-16T19:58:57.320546+010018000001Malware Command and Control Activity Detected192.168.2.849709209.38.151.455123TCP
                  2025-03-16T19:59:03.915634+010018000001Malware Command and Control Activity Detected192.168.2.849710209.38.151.455123TCP
                  2025-03-16T19:59:10.509319+010018000001Malware Command and Control Activity Detected192.168.2.849711209.38.151.455123TCP

                  Joe Sandbox Signatures

                  • AV Detection
                  • Compliance
                  • Networking
                  • System Summary
                  • Data Obfuscation
                  • Hooking and other Techniques for Hiding and Protection
                  • Malware Analysis System Evasion
                  • Anti Debugging
                  • Language, Device and Operating System Detection
                  • Stealing of Sensitive Information
                  • Remote Access Functionality

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: Implosions.exeAvira: detected
                  Source: Implosions.exeMalware Configuration Extractor: RedLine {"C2 url": ["209.38.151.4:55123"], "Bot Id": "vex4you"}
                  Source: Implosions.exeVirustotal: Detection: 83%Perma Link
                  Source: Implosions.exeReversingLabs: Detection: 86%
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: Implosions.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Implosions.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: oHC:\Windows\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: o.pdbService source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb0 source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbb source: Implosions.exe, 00000000.00000002.2078994669.0000000000889000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2082185598.0000000005E52000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb, source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp

                  Networking

                  barindex
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49710 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49710 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49692 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49692 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49699 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49699 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49711 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49711 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49702 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49702 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49683 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49683 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49705 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49705 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49682 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49682 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49690 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49690 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49691 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49691 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49708 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49708 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49706 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49706 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49684 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49684 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49700 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49700 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49704 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49704 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49696 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49696 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49703 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49703 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49707 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49707 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49709 -> 209.38.151.4:55123
                  Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49709 -> 209.38.151.4:55123
                  Source: Malware configuration extractorURLs: 209.38.151.4:55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 55123
                  Source: global trafficTCP traffic: 192.168.2.8:49682 -> 209.38.151.4:55123
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownTCP traffic detected without corresponding DNS query: 209.38.151.4
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 209.38.151.4:55123Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://209.38.151.4:55123
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://209.38.151.4:55123/
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                  Source: Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
                  Source: Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                  Source: Implosions.exeString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                  Source: Implosions.exeString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                  Source: Implosions.exeString found in binary or memory: https://ipinfo.io/ip%appdata%

                  System Summary

                  barindex
                  Source: Implosions.exe, type: SAMPLEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: Implosions.exe, type: SAMPLEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: Implosions.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                  Source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                  Source: C:\Users\user\Desktop\Implosions.exeCode function: 0_2_00B3E7B00_2_00B3E7B0
                  Source: C:\Users\user\Desktop\Implosions.exeCode function: 0_2_00B3DC900_2_00B3DC90
                  Source: Implosions.exe, 00000000.00000002.2078994669.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Implosions.exe
                  Source: Implosions.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: Implosions.exe, type: SAMPLEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: Implosions.exe, type: SAMPLEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: Implosions.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                  Source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.troj.winEXE@2/0@0/1
                  Source: C:\Users\user\Desktop\Implosions.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
                  Source: Implosions.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Implosions.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\Implosions.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Implosions.exeVirustotal: Detection: 83%
                  Source: Implosions.exeReversingLabs: Detection: 86%
                  Source: unknownProcess created: C:\Users\user\Desktop\Implosions.exe "C:\Users\user\Desktop\Implosions.exe"
                  Source: C:\Users\user\Desktop\Implosions.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeSection loaded: dnsapi.dllJump to behavior
                  Source: Implosions.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Implosions.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: oHC:\Windows\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: o.pdbService source: Implosions.exe, 00000000.00000002.2078713458.00000000006F7000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb0 source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbb source: Implosions.exe, 00000000.00000002.2078994669.0000000000889000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2082185598.0000000005E52000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb, source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmp
                  Source: Implosions.exeStatic PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 55123
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 55123
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeMemory allocated: B30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeMemory allocated: 25D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeMemory allocated: 45D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exe TID: 6388Thread sleep time: -75000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: Implosions.exe, 00000000.00000002.2078994669.0000000000810000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\Implosions.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Users\user\Desktop\Implosions.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Implosions.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: Implosions.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTR
                  Source: Yara matchFile source: Implosions.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: Implosions.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.Implosions.exe.2f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Implosions.exe PID: 6364, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		1
                  Process Injection                  		2
                  Virtualization/Sandbox Evasion                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory2
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media11
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Process Injection                  		Security Account Manager12
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Timestomp                  		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture11
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1639986 Sample: Implosions.exe Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 13 Suricata IDS alerts for network traffic 2->13 15 Found malware configuration 2->15 17 Malicious sample detected (through community Yara rule) 2->17 19 6 other signatures 2->19 6 Implosions.exe 15 3 2->6         started        process3 dnsIp4 11 209.38.151.4, 49682, 49683, 49684 ATT-INTERNET4US United States 6->11 9 conhost.exe 6->9         started        process5

                  Screenshots

                  Download Video

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Implosions.exe84%VirustotalBrowse
                  Implosions.exe86%ReversingLabsByteCode-MSIL.Infostealer.RedLine
                  Implosions.exe100%AviraHEUR/AGEN.1305500

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://209.38.151.4:551230%Avira URL Cloudsafe
                  http://209.38.151.4:55123/0%Avira URL Cloudsafe
                  https://api.ipify.orgcookies//settinString.Removeg0%Avira URL Cloudsafe
                  209.38.151.4:551230%Avira URL Cloudsafe

                  Domains and IPs

                  Download Network PCAP: filteredfull

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://209.38.151.4:55123/true
                  • Avira URL Cloud: safe
                  		unknown
                  209.38.151.4:55123true
                  • Avira URL Cloud: safe
                  		unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  https://ipinfo.io/ip%appdata%Implosions.exefalse
                    		high
                    http://209.38.151.4:55123Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/Endpoint/CheckConnectLRImplosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousImplosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Endpoint/CheckConnectResponseImplosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXImplosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.ip.sb/geoip%USERPEnvironmentROFILE%Implosions.exefalse
                              		high
                              http://schemas.xmlsoap.org/soap/envelope/Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Implosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Endpoint/CheckConnectImplosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Endpoint/EnvironmentSettingsLRImplosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Endpoint/VerifyUpdateResponseImplosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Endpoint/SetEnvironmentResponseImplosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Endpoint/SetEnvironmentLRImplosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.ipify.orgcookies//settinString.RemovegImplosions.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/08/addressingImplosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Endpoint/GetUpdatesLRImplosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Endpoint/VerifyUpdateLRImplosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Endpoint/GetUpdatesResponseImplosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Endpoint/Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Endpoint/EnvironmentSettingsResponseImplosions.exe, 00000000.00000002.2080515452.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.0000000002685000.00000004.00000800.00020000.00000000.sdmp, Implosions.exe, 00000000.00000002.2080515452.000000000279A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Endpoint/CheckConnectTImplosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/0Implosions.exe, 00000000.00000002.2080515452.000000000267C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameImplosions.exe, 00000000.00000002.2080515452.000000000266F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/soap/actor/nextImplosions.exe, 00000000.00000002.2080515452.00000000025D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                209.38.151.4
                                                                		unknownUnited States
                                                                		7018ATT-INTERNET4UStrue

                                                                General Information

                                                                Joe Sandbox version:42.0.0 Malachite
                                                                Analysis ID:1639986
                                                                Start date and time:2025-03-16 19:56:15 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 4m 3s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:13
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:Implosions.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.winEXE@2/0@0/1
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HCA Information:
                                                                • Successful, ratio: 99%
                                                                • Number of executed functions: 3
                                                                • Number of non-executed functions: 1
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 52.149.20.212, 23.199.214.10
                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                209.38.151.4rBhzchsT4L.exeGet hashmaliciousRedLineBrowse
                                                                • 209.38.151.4:55123/
                                                                QUOTATION#006565.exeGet hashmaliciousRedLineBrowse
                                                                • 209.38.151.4:55123/

                                                                Domains

                                                                No context

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                ATT-INTERNET4USNyx4r.arm.elfGet hashmaliciousOkiruBrowse
                                                                • 99.178.79.234
                                                                sora.ppc.elfGet hashmaliciousMiraiBrowse
                                                                • 68.153.174.86
                                                                sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 12.128.180.103
                                                                sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                                • 99.25.230.14
                                                                sora.spc.elfGet hashmaliciousMiraiBrowse
                                                                • 23.127.206.112
                                                                sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                • 12.237.171.138
                                                                sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                • 75.34.39.67
                                                                sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                • 99.25.229.52
                                                                hgfs.x86.elfGet hashmaliciousUnknownBrowse
                                                                • 108.235.60.244
                                                                hgfs.mips.elfGet hashmaliciousUnknownBrowse
                                                                • 108.208.72.34

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                No created / dropped files found

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):5.960736595682503
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                File name:Implosions.exe
                                                                File size:97'792 bytes
                                                                MD5:1de3d44fc259e585d924d872d8224972
                                                                SHA1:d81dc1f25ea3df6dc4d2fb6520491721594fbe96
                                                                SHA256:3ef92d70a248a8e1b1cda278e99f80fa7e66c6c89cbb90c6d3b295faff061b5a
                                                                SHA512:adf812d7c271d7963a61e0c2cbf332e7d594cfd4e208b9906051f886d88914d95a1f2a84aecaa16007021f066e58ef969bbdf64c22f39d5f3fdf7a8ecf818b56
                                                                SSDEEP:1536:5qs+bqDylbG6jejoigIj43Ywzi0Zb78ivombfexv0ujXyyed2AtmulgS6p8l:XIwiYj+zi0ZbYe1g0ujyzdc8
                                                                TLSH:3CA35D3067AC9F19EAFD1B75B4B2012043F0E08A9091FB4A4DC194E71FA7B865957EF2
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..t..........>.... ........@.. ....................................@................................

                                                                File Icon

                                                                Icon Hash:90cececece8e8eb0

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x41933e
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows cui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x192e40x57.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x4de.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x173440x174000d5a2ab91b1f3c42a2206342656ab800False0.4487462197580645data6.015778705303866IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x1a0000x4de0x600e3145af1e7dfa1e41fe7799ae002b612False0.3756510416666667data3.723940100220831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x1c0000xc0x20089ebbf373068a00e5c68d2ac72a26374False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_VERSION0x1a0a00x254data0.4597315436241611
                                                                RT_MANIFEST0x1a2f40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                DLLImport
                                                                mscoree.dll_CorExeMain
                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                FileDescription
                                                                FileVersion0.0.0.0
                                                                InternalNameImplosions.exe
                                                                LegalCopyright
                                                                OriginalFilenameImplosions.exe
                                                                ProductVersion0.0.0.0
                                                                Assembly Version0.0.0.0

                                                                Network Behavior

                                                                Download Network PCAP: filteredfull

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2025-03-16T19:57:11.193787+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849682209.38.151.455123TCP
                                                                2025-03-16T19:57:11.193787+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849682209.38.151.455123TCP
                                                                2025-03-16T19:57:17.801349+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849683209.38.151.455123TCP
                                                                2025-03-16T19:57:17.801349+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849683209.38.151.455123TCP
                                                                2025-03-16T19:57:24.583200+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849684209.38.151.455123TCP
                                                                2025-03-16T19:57:24.583200+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849684209.38.151.455123TCP
                                                                2025-03-16T19:57:31.217197+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849690209.38.151.455123TCP
                                                                2025-03-16T19:57:31.217197+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849690209.38.151.455123TCP
                                                                2025-03-16T19:57:37.840316+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849691209.38.151.455123TCP
                                                                2025-03-16T19:57:37.840316+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849691209.38.151.455123TCP
                                                                2025-03-16T19:57:44.479821+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849692209.38.151.455123TCP
                                                                2025-03-16T19:57:44.479821+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849692209.38.151.455123TCP
                                                                2025-03-16T19:57:51.090868+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849696209.38.151.455123TCP
                                                                2025-03-16T19:57:51.090868+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849696209.38.151.455123TCP
                                                                2025-03-16T19:57:57.695871+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849699209.38.151.455123TCP
                                                                2025-03-16T19:57:57.695871+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849699209.38.151.455123TCP
                                                                2025-03-16T19:58:04.306340+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849700209.38.151.455123TCP
                                                                2025-03-16T19:58:04.306340+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849700209.38.151.455123TCP
                                                                2025-03-16T19:58:10.922094+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849702209.38.151.455123TCP
                                                                2025-03-16T19:58:10.922094+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849702209.38.151.455123TCP
                                                                2025-03-16T19:58:17.506258+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849703209.38.151.455123TCP
                                                                2025-03-16T19:58:17.506258+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849703209.38.151.455123TCP
                                                                2025-03-16T19:58:24.120709+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849704209.38.151.455123TCP
                                                                2025-03-16T19:58:24.120709+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849704209.38.151.455123TCP
                                                                2025-03-16T19:58:30.733658+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849705209.38.151.455123TCP
                                                                2025-03-16T19:58:30.733658+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849705209.38.151.455123TCP
                                                                2025-03-16T19:58:37.340576+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849706209.38.151.455123TCP
                                                                2025-03-16T19:58:37.340576+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849706209.38.151.455123TCP
                                                                2025-03-16T19:58:43.966020+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849707209.38.151.455123TCP
                                                                2025-03-16T19:58:43.966020+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849707209.38.151.455123TCP
                                                                2025-03-16T19:58:50.725226+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849708209.38.151.455123TCP
                                                                2025-03-16T19:58:50.725226+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849708209.38.151.455123TCP
                                                                2025-03-16T19:58:57.320546+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849709209.38.151.455123TCP
                                                                2025-03-16T19:58:57.320546+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849709209.38.151.455123TCP
                                                                2025-03-16T19:59:03.915634+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849710209.38.151.455123TCP
                                                                2025-03-16T19:59:03.915634+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849710209.38.151.455123TCP
                                                                2025-03-16T19:59:10.509319+01001800000Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect1192.168.2.849711209.38.151.455123TCP
                                                                2025-03-16T19:59:10.509319+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.849711209.38.151.455123TCP
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Mar 16, 2025 19:57:09.606223106 CET4968255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:09.610970020 CET5512349682209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:09.611051083 CET4968255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:09.626493931 CET4968255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:09.631181002 CET5512349682209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:09.972048044 CET4968255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:09.976840973 CET5512349682209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:11.193711042 CET5512349682209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:11.193787098 CET4968255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:11.202152967 CET4968255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:11.206744909 CET5512349682209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:16.223556995 CET4968355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:16.228398085 CET5512349683209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:16.228504896 CET4968355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:16.228775024 CET4968355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:16.233431101 CET5512349683209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:16.581156969 CET4968355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:16.586904049 CET5512349683209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:17.801243067 CET5512349683209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:17.801348925 CET4968355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:17.801547050 CET4968355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:17.806188107 CET5512349683209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:22.818834066 CET4968455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:23.002696037 CET5512349684209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:23.002859116 CET4968455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:23.003272057 CET4968455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:23.008383036 CET5512349684209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:23.362503052 CET4968455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:23.368127108 CET5512349684209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:24.583089113 CET5512349684209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:24.583199978 CET4968455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:24.583354950 CET4968455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:24.587992907 CET5512349684209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:29.599836111 CET4969055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:29.604598045 CET5512349690209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:29.604692936 CET4969055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:29.604918957 CET4969055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:29.609520912 CET5512349690209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:29.956362963 CET4969055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:29.961132050 CET5512349690209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:31.215167046 CET5512349690209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:31.217196941 CET4969055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:31.223721981 CET4969055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:31.228461981 CET5512349690209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:36.238982916 CET4969155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:36.243961096 CET5512349691209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:36.244092941 CET4969155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:36.244226933 CET4969155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:36.248939991 CET5512349691209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:36.596973896 CET4969155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:36.601880074 CET5512349691209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:37.840234041 CET5512349691209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:37.840316057 CET4969155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:37.840437889 CET4969155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:37.845086098 CET5512349691209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:42.869657040 CET4969255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:42.874998093 CET5512349692209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:42.875088930 CET4969255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:42.878701925 CET4969255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:42.883436918 CET5512349692209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:43.253473997 CET4969255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:43.258306980 CET5512349692209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:44.479672909 CET5512349692209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:44.479820967 CET4969255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:44.479976892 CET4969255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:44.485007048 CET5512349692209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:49.488832951 CET4969655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:49.494744062 CET5512349696209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:49.494852066 CET4969655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:49.495085001 CET4969655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:49.499738932 CET5512349696209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:49.847079039 CET4969655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:49.852216959 CET5512349696209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:51.090775013 CET5512349696209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:51.090867996 CET4969655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:51.091000080 CET4969655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:51.099538088 CET5512349696209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:56.105209112 CET4969955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:56.110014915 CET5512349699209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:56.110127926 CET4969955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:56.118489981 CET4969955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:56.123162985 CET5512349699209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:56.475760937 CET4969955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:56.480982065 CET5512349699209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:57.695790052 CET5512349699209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:57:57.695871115 CET4969955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:57.696007967 CET4969955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:57:57.700711966 CET5512349699209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:02.708091974 CET4970055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:02.712872982 CET5512349700209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:02.712949038 CET4970055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:02.713150978 CET4970055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:02.717814922 CET5512349700209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:03.065807104 CET4970055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:03.070504904 CET5512349700209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:04.306204081 CET5512349700209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:04.306339979 CET4970055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:04.306519985 CET4970055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:04.311187029 CET5512349700209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:09.317368984 CET4970255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:09.322237015 CET5512349702209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:09.322376013 CET4970255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:09.329215050 CET4970255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:09.333909035 CET5512349702209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:09.687565088 CET4970255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:09.692363024 CET5512349702209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:10.922013998 CET5512349702209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:10.922094107 CET4970255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:10.922343969 CET4970255123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:10.927017927 CET5512349702209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:15.926731110 CET4970355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:15.931540966 CET5512349703209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:15.931682110 CET4970355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:15.931871891 CET4970355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:15.936547041 CET5512349703209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:16.284768105 CET4970355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:16.289551020 CET5512349703209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:17.506150961 CET5512349703209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:17.506258011 CET4970355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:17.506490946 CET4970355123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:17.511117935 CET5512349703209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:22.520291090 CET4970455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:22.525100946 CET5512349704209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:22.525223970 CET4970455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:22.525321007 CET4970455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:22.529987097 CET5512349704209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:22.878593922 CET4970455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:22.883368969 CET5512349704209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:24.120588064 CET5512349704209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:24.120708942 CET4970455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:24.120825052 CET4970455123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:24.125555992 CET5512349704209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:29.130207062 CET4970555123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:29.135723114 CET5512349705209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:29.135822058 CET4970555123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:29.135967016 CET4970555123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:29.141237974 CET5512349705209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:29.489286900 CET4970555123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:29.494112968 CET5512349705209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:30.733525991 CET5512349705209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:30.733658075 CET4970555123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:30.733998060 CET4970555123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:30.739660978 CET5512349705209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:35.739217043 CET4970655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:35.745065928 CET5512349706209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:35.745187998 CET4970655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:35.745395899 CET4970655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:35.750772953 CET5512349706209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:36.097681999 CET4970655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:36.102597952 CET5512349706209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:37.340465069 CET5512349706209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:37.340575933 CET4970655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:37.347042084 CET4970655123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:37.351857901 CET5512349706209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:42.365847111 CET4970755123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:42.370703936 CET5512349707209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:42.370831966 CET4970755123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:42.371155024 CET4970755123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:42.376173019 CET5512349707209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:42.722266912 CET4970755123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:42.726999998 CET5512349707209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:43.965832949 CET5512349707209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:43.966020107 CET4970755123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:43.966195107 CET4970755123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:43.970911026 CET5512349707209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:48.975095987 CET4970855123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:49.155919075 CET5512349708209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:49.156076908 CET4970855123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:49.156338930 CET4970855123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:49.161041021 CET5512349708209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:49.503789902 CET4970855123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:49.508675098 CET5512349708209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:50.725043058 CET5512349708209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:50.725225925 CET4970855123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:50.725542068 CET4970855123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:50.730258942 CET5512349708209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:55.739197016 CET4970955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:55.744064093 CET5512349709209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:55.744163990 CET4970955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:55.744467974 CET4970955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:55.749171019 CET5512349709209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:56.097560883 CET4970955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:56.102354050 CET5512349709209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:57.320468903 CET5512349709209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:58:57.320545912 CET4970955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:57.320667028 CET4970955123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:58:57.326620102 CET5512349709209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:59:02.334352016 CET4971055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:02.339185953 CET5512349710209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:59:02.339293003 CET4971055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:02.339643955 CET4971055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:02.344300032 CET5512349710209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:59:02.691416025 CET4971055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:02.696216106 CET5512349710209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:59:03.914522886 CET5512349710209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:59:03.915633917 CET4971055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:03.918025970 CET4971055123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:03.922750950 CET5512349710209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:59:08.928366899 CET4971155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:08.933259964 CET5512349711209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:59:08.933399916 CET4971155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:08.934860945 CET4971155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:08.939496994 CET5512349711209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:59:09.284955025 CET4971155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:09.292558908 CET5512349711209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:59:10.509131908 CET5512349711209.38.151.4192.168.2.8
                                                                Mar 16, 2025 19:59:10.509319067 CET4971155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:10.509471893 CET4971155123192.168.2.8209.38.151.4
                                                                Mar 16, 2025 19:59:10.514142990 CET5512349711209.38.151.4192.168.2.8

                                                                HTTP Request Dependency Graph

                                                                • 209.38.151.4:55123

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.849682209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:57:09.626493931 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.849683209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:57:16.228775024 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.849684209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:57:23.003272057 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.849690209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:57:29.604918957 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.849691209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:57:36.244226933 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.849692209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:57:42.878701925 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.849696209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:57:49.495085001 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.849699209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:57:56.118489981 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.849700209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:58:02.713150978 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                9192.168.2.849702209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:58:09.329215050 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                10192.168.2.849703209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:58:15.931871891 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                11192.168.2.849704209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:58:22.525321007 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                12192.168.2.849705209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:58:29.135967016 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                13192.168.2.849706209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:58:35.745395899 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                14192.168.2.849707209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:58:42.371155024 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                15192.168.2.849708209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:58:49.156338930 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                16192.168.2.849709209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:58:55.744467974 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                17192.168.2.849710209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:59:02.339643955 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                18192.168.2.849711209.38.151.4551236364C:\Users\user\Desktop\Implosions.exe
                                                                TimestampBytes transferredDirectionData
                                                                Mar 16, 2025 19:59:08.934860945 CET239OUTPOST / HTTP/1.1
                                                                Content-Type: text/xml; charset=utf-8
                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                Host: 209.38.151.4:55123
                                                                Content-Length: 137
                                                                Expect: 100-continue
                                                                Accept-Encoding: gzip, deflate
                                                                Connection: Keep-Alive


                                                                Statistics

                                                                CPU Usage

                                                                050100s020406080100

                                                                Click to jump to process

                                                                Memory Usage

                                                                050100s0.00102030MB

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                • File
                                                                • Registry
                                                                • Network

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:14:57:07
                                                                Start date:16/03/2025
                                                                Path:C:\Users\user\Desktop\Implosions.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\Implosions.exe"
                                                                Imagebase:0x2f0000
                                                                File size:97'792 bytes
                                                                MD5 hash:1DE3D44FC259E585D924D872D8224972
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000000.837325917.00000000002F2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                Reputation:low
                                                                Has exited:false
                                                                Show Windows behavior

                                                                File Activities

                                                                Show Windows behavior

                                                                Section Activities

                                                                Show Windows behavior

                                                                Registry Activities

                                                                Show Windows behavior

                                                                Mutex Activities

                                                                Show Windows behavior

                                                                Process Activities

                                                                Show Windows behavior

                                                                Thread Activities

                                                                Show Windows behavior

                                                                Memory Activities

                                                                Show Windows behavior

                                                                System Activities

                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                Network Activities

                                                                Process Token Activities


                                                                General

                                                                Target ID:1
                                                                Start time:14:57:07
                                                                Start date:16/03/2025
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6e60e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false
                                                                Show Windows behavior

                                                                File Activities

                                                                Show Windows behavior

                                                                Section Activities

                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                Show Windows behavior

                                                                Mutex Activities

                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                Show Windows behavior

                                                                Thread Activities

                                                                Show Windows behavior

                                                                Memory Activities

                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                Show Windows behavior

                                                                Windows UI Activities

                                                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                Disassembly

                                                                Execution Graph

                                                                Execution Coverage

                                                                Dynamic/Packed Code Coverage

                                                                Signature Coverage

                                                                Execution Coverage:13.6%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:16
                                                                Total number of Limit Nodes:0
                                                                Show Legend
                                                                Hide Nodes/Edges
                                                                execution_graph 12954 b30871 12958 b308d8 12954->12958 12963 b308c8 12954->12963 12955 b30889 12959 b308fa 12958->12959 12968 b30ce0 12959->12968 12972 b30ce8 12959->12972 12960 b3093e 12960->12955 12964 b308fa 12963->12964 12966 b30ce0 GetConsoleWindow 12964->12966 12967 b30ce8 GetConsoleWindow 12964->12967 12965 b3093e 12965->12955 12966->12965 12967->12965 12969 b30d26 GetConsoleWindow 12968->12969 12971 b30d56 12969->12971 12971->12960 12973 b30d26 GetConsoleWindow 12972->12973 12975 b30d56 12973->12975 12975->12960

                                                                Executed Functions

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1103 b3e7b0-b3e7d1 1105 b3e7d3-b3e7d9 1103->1105 1106 b3e815-b3e81c 1103->1106 1107 b3e9ab-b3e9f3 1105->1107 1108 b3e7df-b3e7f9 1105->1108 1375 b3e9f6 call b3e7a1 1107->1375 1376 b3e9f6 call b3eff1 1107->1376 1377 b3e9f6 call b3e7b0 1107->1377 1378 b3e9f6 call b3f7f8 1107->1378 1115 b3e7fb-b3e80a 1108->1115 1116 b3e81d-b3e82c 1108->1116 1111 b3e9fc-b3ea04 1113 b3ea06-b3ea08 1111->1113 1114 b3ea0d-b3ea18 1111->1114 1117 b3f32f-b3f336 1113->1117 1124 b3f339-b3f3e9 1114->1124 1125 b3ea1e-b3ea2f 1114->1125 1121 b3e810-b3e813 1115->1121 1122 b3e8f5-b3e8fe 1115->1122 1116->1121 1123 b3e82e-b3e83d 1116->1123 1121->1105 1121->1106 1126 b3e900-b3e906 1122->1126 1127 b3e908-b3e9a4 1122->1127 1123->1121 1133 b3e83f-b3e848 1123->1133 1189 b3f3f0-b3f4ae 1124->1189 1131 b3ea42 1125->1131 1132 b3ea31-b3ea40 1125->1132 1126->1127 1127->1107 1137 b3ea44-b3ea75 1131->1137 1132->1137 1138 b3e852-b3e8ee 1133->1138 1139 b3e84a-b3e850 1133->1139 1151 b3ea93-b3eabe 1137->1151 1152 b3ea77-b3ea8b call b3d8f8 1137->1152 1138->1122 1139->1138 1159 b3eac0-b3ead4 call b3d8f8 1151->1159 1160 b3eadc-b3eafe 1151->1160 1152->1151 1159->1160 1173 b3ed55-b3ed5f 1160->1173 1174 b3eb04-b3eb2a 1160->1174 1177 b3ed61-b3ed75 call b3d8f8 1173->1177 1178 b3ed7d-b3edfa 1173->1178 1194 b3ed43-b3ed4f 1174->1194 1195 b3eb30-b3eb3d 1174->1195 1177->1178 1228 b3ee0d-b3ee72 call b3cd58 1178->1228 1229 b3edfc-b3ee05 1178->1229 1216 b3f4b5-b3f56c 1189->1216 1194->1173 1194->1174 1195->1189 1205 b3eb43-b3eb47 1195->1205 1206 b3eb5b-b3eb61 1205->1206 1207 b3eb49-b3eb55 1205->1207 1211 b3eb63-b3eb6f 1206->1211 1212 b3eb75-b3ebc0 1206->1212 1207->1206 1207->1216 1211->1212 1219 b3f573-b3f62a 1211->1219 1237 b3ebc2-b3ebe4 1212->1237 1238 b3ec39-b3ec3d 1212->1238 1216->1219 1274 b3f631-b3f7db 1219->1274 1272 b3ee84-b3ee90 1228->1272 1273 b3ee74-b3ee7e 1228->1273 1229->1228 1264 b3ebe6-b3ec0b 1237->1264 1265 b3ec0d-b3ec2a 1237->1265 1242 b3ecb6-b3ecee 1238->1242 1243 b3ec3f-b3ec61 1238->1243 1301 b3ecf0-b3ed15 1242->1301 1302 b3ed17-b3ed34 1242->1302 1268 b3ec63-b3ec88 1243->1268 1269 b3ec8a-b3eca7 1243->1269 1309 b3ec32-b3ec34 1264->1309 1265->1309 1314 b3ecaf-b3ecb1 1268->1314 1269->1314 1275 b3ef51-b3ef76 call b3cd58 1272->1275 1276 b3ee96-b3ee9f 1272->1276 1273->1272 1273->1274 1281 b3f7e2-b3f805 call b3cc20 1274->1281 1324 b3ef7e-b3ef9a 1275->1324 1276->1281 1282 b3eea5-b3eeab 1276->1282 1311 b3f80a-b3f80c 1281->1311 1289 b3eec3-b3eef6 1282->1289 1290 b3eead-b3eeb3 1282->1290 1316 b3ef14-b3ef4b 1289->1316 1317 b3eef8-b3ef0c call b3d8f8 1289->1317 1298 b3eeb7-b3eec1 1290->1298 1299 b3eeb5 1290->1299 1298->1289 1299->1289 1340 b3ed3c-b3ed3e 1301->1340 1302->1340 1309->1117 1320 b3f811-b3f820 1311->1320 1321 b3f80e-b3f810 1311->1321 1314->1117 1316->1275 1316->1276 1317->1316 1338 b3f822-b3f82c 1320->1338 1339 b3f82d-b3f831 1320->1339 1344 b3efc4-b3efe0 1324->1344 1345 b3ef9c-b3efc2 1324->1345 1340->1117 1349 b3efe2 1344->1349 1350 b3efee 1344->1350 1345->1344 1349->1350 1350->1117 1375->1111 1376->1111 1377->1111 1378->1111
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2080253588.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b30000_Implosions.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 580a33b29cf79af1b38e3ee65294030da18daf1a1ed7617f63b9b4314246ef61
                                                                • Instruction ID: fa4790fea6caf8c640ab2d064fdce68ae3eac47f127aa6ec26a704cfa89601a4
                                                                • Opcode Fuzzy Hash: 580a33b29cf79af1b38e3ee65294030da18daf1a1ed7617f63b9b4314246ef61
                                                                • Instruction Fuzzy Hash: 93820974B002148FDB55DF68D998B6DBBB2EF88301F1085A9E90A9B3A5DB34ED41CF50

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 863 b30ce0-b30d54 GetConsoleWindow 866 b30d56-b30d5c 863->866 867 b30d5d-b30d82 863->867 866->867
                                                                APIs
                                                                • GetConsoleWindow.KERNELBASE ref: 00B30D47
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2080253588.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b30000_Implosions.jbxd
                                                                Similarity
                                                                • API ID: ConsoleWindow
                                                                • String ID:
                                                                • API String ID: 2863861424-0
                                                                • Opcode ID: 7cf7646306f9d1cee8bc2e0a18cdd9589280f3437f065866bc80c92857a3fb75
                                                                • Instruction ID: 0c8a1bd8ba38c79f71be960294770ace7ed8f1ee3913e5d1950b8811d3240acb
                                                                • Opcode Fuzzy Hash: 7cf7646306f9d1cee8bc2e0a18cdd9589280f3437f065866bc80c92857a3fb75
                                                                • Instruction Fuzzy Hash: 10113275D043498FDB20DFAAD4597EEBBF1AF88314F24846AC45AA7240CB79A5448BA0

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 871 b30ce8-b30d54 GetConsoleWindow 874 b30d56-b30d5c 871->874 875 b30d5d-b30d82 871->875 874->875
                                                                APIs
                                                                • GetConsoleWindow.KERNELBASE ref: 00B30D47
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2080253588.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b30000_Implosions.jbxd
                                                                Similarity
                                                                • API ID: ConsoleWindow
                                                                • String ID:
                                                                • API String ID: 2863861424-0
                                                                • Opcode ID: f83c20e27821d39859b5ffd7f5b08177ad36da77e502cbfd29ee2d8cf3a1dece
                                                                • Instruction ID: ae4244282cff8d0821dcb01ae2203804d16bf67bf1fb348d1eb88bf9cdb96d5d
                                                                • Opcode Fuzzy Hash: f83c20e27821d39859b5ffd7f5b08177ad36da77e502cbfd29ee2d8cf3a1dece
                                                                • Instruction Fuzzy Hash: BD113675D003098FDB20DFAAC44979EFBF5AF48314F208429D41AA7240CB79A544CFA0

                                                                Non-executed Functions

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2080253588.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_b30000_Implosions.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: HDr
                                                                • API String ID: 0-1522847794
                                                                • Opcode ID: e9f38d51a38b27f5574957457b49b09be2bd7aafdff27b0e400a6725ddb086db
                                                                • Instruction ID: ea9de1c7e8140481f7e8e9e08fbebfdb14ae32ce8657bf09c485ed6c5ee735b0
                                                                • Opcode Fuzzy Hash: e9f38d51a38b27f5574957457b49b09be2bd7aafdff27b0e400a6725ddb086db
                                                                • Instruction Fuzzy Hash: 18D18E74B002158FDB54EBB8D854A6EBBF6EFC8300B1581A9E905DB3A5DB34DD02CB91