Edit tour

Windows Analysis Report
xMYbN0Yd2a.exe

Overview

General Information

Sample name:	xMYbN0Yd2a.exe renamed because original name is a hash value
Original sample name:	4492289dc538a6ee40cb2f654a8cf8dd536de11b69f64584f1da4803a52eb61d.exe
Analysis ID:	1554433
MD5:	e4cf78746e4d0f16f1c75e2b92f87d4e
SHA1:	e933bb895443f5c0bf01ed48f61ea294c1293e1f
SHA256:	4492289dc538a6ee40cb2f654a8cf8dd536de11b69f64584f1da4803a52eb61d
Tags:	4-251-123-83exeuser-JAMESWT_MHT
Infos:

Detection

Meduza Stealer, PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Meduza Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

xMYbN0Yd2a.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\xMYbN0Yd2a.exe" MD5: E4CF78746E4D0F16F1C75E2B92F87D4E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "4.251.123.83:6677"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
xMYbN0Yd2a.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
xMYbN0Yd2a.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
xMYbN0Yd2a.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
xMYbN0Yd2a.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c1d:$s1: file:/// 0x45b55:$s2: {11111-22222-10009-11112} 0x45bad:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c2f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000000.2464452720.0000000000012000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000000.2464452720.0000000000012000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.2540695600.000000000235D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: xMYbN0Yd2a.exe PID: 6644	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: xMYbN0Yd2a.exe PID: 6644	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: xMYbN0Yd2a.exe PID: 6644	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.xMYbN0Yd2a.exe.10000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
1.0.xMYbN0Yd2a.exe.10000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.0.xMYbN0Yd2a.exe.10000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.0.xMYbN0Yd2a.exe.10000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c1d:$s1: file:/// 0x45b55:$s2: {11111-22222-10009-11112} 0x45bad:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c2f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:51:38.881946+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.12	49712	TCP
2024-11-12T14:52:19.862192+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.12	63104	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:51:27.632944+0100	2046056	1	A Network Trojan was detected	4.251.123.83	6677	192.168.2.12	49711	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:51:27.119459+0100	2046045	1	A Network Trojan was detected	192.168.2.12	49711	4.251.123.83	6677	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: xMYbN0Yd2a.exe

Avira: detected

Found malware configuration

Source: xMYbN0Yd2a.exe.6644.1.memstrmin

Malware Configuration Extractor: RedLine {"C2 url": "4.251.123.83:6677"}

Multi AV Scanner detection for submitted file

Source: xMYbN0Yd2a.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: xMYbN0Yd2a.exe

Joe Sandbox ML: detected

Source: xMYbN0Yd2a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xMYbN0Yd2a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.12:49711 -> 4.251.123.83:6677
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 4.251.123.83:6677 -> 192.168.2.12:49711

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 4.251.123.83:6677

Source: global traffic

TCP traffic: 192.168.2.12:49711 -> 4.251.123.83:6677

Source: Joe Sandbox View

ASN Name: LEVEL3US LEVEL3US

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.12:49712
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.12:63104

Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83

Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: xMYbN0Yd2a.exe, 00000001.00000002.2552732041.000000001B28C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldbl6&? equals www.youtube.com (Youtube)
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002A04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldbH equals www.youtube.com (Youtube)

Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.000000000235D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1Response
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2540695600.000000000235D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2Response
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.000000000235D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3Response
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000025CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.000000000235D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: xMYbN0Yd2a.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 1.0.xMYbN0Yd2a.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: xMYbN0Yd2a.exe, Strings.cs

Large array initialization: Strings: array initializer size 6160

Source: xMYbN0Yd2a.exe, 00000001.00000000.2464452720.000000000009E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGristles.exe" vs xMYbN0Yd2a.exe
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.000000000235D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs xMYbN0Yd2a.exe
Source: xMYbN0Yd2a.exe	Binary or memory string: OriginalFilenameGristles.exe" vs xMYbN0Yd2a.exe

Source: xMYbN0Yd2a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xMYbN0Yd2a.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 1.0.xMYbN0Yd2a.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: xMYbN0Yd2a.exe, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: xMYbN0Yd2a.exe, Class4.cs	Cryptographic APIs: 'CreateDecryptor'
Source: xMYbN0Yd2a.exe, Class4.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

File created: C:\Users\user\AppData\Local\Microsoft\Wind?ws

Jump to behavior

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

Mutant created: NULL

Source: xMYbN0Yd2a.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: xMYbN0Yd2a.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: xMYbN0Yd2a.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: xMYbN0Yd2a.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: xMYbN0Yd2a.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: xMYbN0Yd2a.exe, Class4.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: xMYbN0Yd2a.exe

Static PE information: 0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Code function: 1_2_00007FFE165163EE push ss; retf	1_2_00007FFE165163EF
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Code function: 1_2_00007FFE16514567 push E8FFFFFFh; iretd	1_2_00007FFE1651456D
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Code function: 1_2_00007FFE165E3F29 push eax; iretd	1_2_00007FFE165E3F31
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Code function: 1_2_00007FFE165E2004 pushad ; retf	1_2_00007FFE165E2005

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: \QEMU-GA.EXE

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Memory allocated: 20B0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Memory allocated: 1A2B0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Window / User API: threadDelayed 1220			Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Window / User API: threadDelayed 2401			Jump to behavior

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe TID: 6872	Thread sleep time: -11990383647911201s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe TID: 6664	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696508427f
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: xMYbN0Yd2a.exe, 00000001.00000002.2552796800.000000001B29D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696508427
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012614000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696508427

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

Process token adjusted: Debug

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Queries volume information: C:\Users\user\Desktop\xMYbN0Yd2a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: xMYbN0Yd2a.exe, 00000001.00000002.2552796800.000000001B29D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: xMYbN0Yd2a.exe PID: 6644, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: xMYbN0Yd2a.exe, type: SAMPLE
Source: Yara match	File source: 1.0.xMYbN0Yd2a.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.2464452720.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: xMYbN0Yd2a.exe, type: SAMPLE
Source: Yara match	File source: 1.0.xMYbN0Yd2a.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.2464452720.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xMYbN0Yd2a.exe PID: 6644, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: xMYbN0Yd2a.exe, type: SAMPLE
Source: Yara match	File source: 1.0.xMYbN0Yd2a.exe.10000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: hieplnfojfccegoloniefimmbfjdgcgp\|Electrum
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCashE#
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne\|JaxxxLiberty
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: idkppnahnmmggbmfkjhiakkbkdpnmnon\|Exodus
Source: xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: xMYbN0Yd2a.exe, 00000001.00000000.2464452720.0000000000012000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\xMYbN0Yd2a.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior

Source: Yara match	File source: 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2540695600.000000000235D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xMYbN0Yd2a.exe PID: 6644, type: MEMORYSTR

Remote Access Functionality

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: xMYbN0Yd2a.exe PID: 6644, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: xMYbN0Yd2a.exe, type: SAMPLE
Source: Yara match	File source: 1.0.xMYbN0Yd2a.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.2464452720.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: xMYbN0Yd2a.exe, type: SAMPLE
Source: Yara match	File source: 1.0.xMYbN0Yd2a.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.2464452720.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xMYbN0Yd2a.exe PID: 6644, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: xMYbN0Yd2a.exe, type: SAMPLE
Source: Yara match	File source: 1.0.xMYbN0Yd2a.exe.10000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	331 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
xMYbN0Yd2a.exe	63%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
xMYbN0Yd2a.exe	100%	Avira	HEUR/AGEN.1312138
xMYbN0Yd2a.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
4.251.123.83:6677	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
4.251.123.83:6677	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discord.com/api/v9/users/	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field1Response	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.000000000235D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ip.sb/ip	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/sc	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.w3.oh	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.000000000235D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field1	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/envelope/	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field2	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field3	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/06/addressingex	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.w3.o	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000025CF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/example/Field3Response	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.000000000235D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	xMYbN0Yd2a.exe, 00000001.00000002.2548705455.00000000122EA000.00000004.00000800.00020000.00000000.sdmp, xMYbN0Yd2a.exe, 00000001.00000002.2548705455.0000000012502000.00000004.00000800.00020000.00000000.sdmp	false	high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.00000000022B1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2002/12/policy	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit	xMYbN0Yd2a.exe, 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
4.251.123.83	unknown	United States		3356	LEVEL3US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554433
Start date and time:	2024-11-12 14:50:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	xMYbN0Yd2a.exe renamed because original name is a hash value
Original Sample Name:	4492289dc538a6ee40cb2f654a8cf8dd536de11b69f64584f1da4803a52eb61d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: xMYbN0Yd2a.exe

Simulations

Behavior and APIs

Time	Type	Description
08:51:28	API Interceptor	18x Sleep call for process: xMYbN0Yd2a.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
4.251.123.83	FaZM14kDMN.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	j7movK82QT.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	Z4uyrnCQ8L.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	file.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEVEL3US	FaZM14kDMN.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	j7movK82QT.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	Z4uyrnCQ8L.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	65.90.191.211
	sora.arm.elf	Get hash	malicious	Mirai	Browse	4.98.147.155
	DEMASI-24-12B DOC. SCAN.exe	Get hash	malicious	GuLoader, Remcos	Browse	4.150.155.223
	amen.arm6.elf	Get hash	malicious	Mirai	Browse	7.167.215.90
	amen.x86.elf	Get hash	malicious	Mirai	Browse	11.22.83.104
	amen.arm.elf	Get hash	malicious	Unknown	Browse	6.17.53.0
	zgp.elf	Get hash	malicious	Mirai	Browse	9.168.203.84

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.180221936212593
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	xMYbN0Yd2a.exe
File size:	743'424 bytes
MD5:	e4cf78746e4d0f16f1c75e2b92f87d4e
SHA1:	e933bb895443f5c0bf01ed48f61ea294c1293e1f
SHA256:	4492289dc538a6ee40cb2f654a8cf8dd536de11b69f64584f1da4803a52eb61d
SHA512:	2cd5d32011ddcd9d72d171889360c149d157d1347bc59061374932fabfae54ae0fe6663e2208a9a7f1cc3a610c8b8ccf452c7330aaa21cfc56b992ec5b2e78a3
SSDEEP:	12288:yDDYDzqxxXBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4QiAzojgJ1:yDDY3qxx1NsXo
TLSH:	89F4701C5BBC058CEC8CD531BE20C9326EA04E08919FCB49A569FA151EB6277B3F5BD1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	0e9696961617e982

Static PE Info

General

Entrypoint:	0x44d0ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4d0a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x6a022	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4b0f4	0x4b200	fec7bcd0167b4345a971b22f09f610ca	False	0.4180174968801997	data	6.528753723920662	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4e000	0x6a022	0x6a200	65e4195d76e2641b30f5c060426a53b1	False	0.04090059997055359	data	3.4733020781588206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	3a13fecd19ca9773d82cc3855bc1b8eb	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x4e2b0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	0.019047548598988075
RT_ICON	0x902d8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.03903939429788241
RT_ICON	0xa0b00	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.0580460374185411
RT_ICON	0xa9fa8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.08243992606284659
RT_ICON	0xaf430	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.0987836561171469
RT_ICON	0xb3658	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.14284232365145227
RT_ICON	0xb5c00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.22537523452157598
RT_ICON	0xb6ca8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.30901639344262294
RT_ICON	0xb7630	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.4530141843971631
RT_GROUP_ICON	0xb7a98	0x84	data	0.7196969696969697
RT_VERSION	0xb7b1c	0x31c	data	0.4535175879396985
RT_MANIFEST	0xb7e38	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T14:51:27.119459+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.12	49711	4.251.123.83	6677	TCP
2024-11-12T14:51:27.632944+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	4.251.123.83	6677	192.168.2.12	49711	TCP
2024-11-12T14:51:38.881946+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.12	49712	TCP
2024-11-12T14:52:19.862192+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.12	63104	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 14:51:26.226610899 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:26.231715918 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:26.232424974 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:26.234738111 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:26.239574909 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.071273088 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.118007898 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:27.119458914 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:27.124353886 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.358668089 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.387295961 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:27.392182112 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.632637024 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.632663012 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.632674932 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.632766008 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.632842064 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.632859945 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:27.632880926 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:27.632944107 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.632956028 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.632968903 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.633013964 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:27.633013964 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:27.633351088 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.633702040 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.633713961 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.633724928 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.633763075 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:27.633783102 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:27.751203060 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.751219988 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.751239061 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.751251936 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.751267910 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:27.751295090 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:27.751324892 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.751526117 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:27.751585007 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.273361921 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.278280973 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.278297901 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.278318882 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.278331995 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.278331995 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.278362989 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.278374910 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.278381109 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.278398037 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.278409004 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.278431892 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.278454065 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.278455019 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.278466940 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.278501987 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.278512001 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.283200026 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.283241034 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.283246040 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.283252001 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.283276081 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.283282042 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.283293962 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.283299923 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.283335924 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.283400059 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.283442974 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.283442974 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.283504009 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.283529043 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.283581018 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288021088 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288079023 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288108110 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288150072 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288155079 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288177967 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288192987 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288211107 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288254976 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288292885 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288321018 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288361073 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288367987 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288395882 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288438082 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288449049 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288467884 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288487911 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288507938 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288525105 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288539886 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288559914 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288578987 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288583040 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288594007 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288620949 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288624048 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288633108 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288645029 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288665056 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288676977 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288707972 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288736105 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288753986 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288765907 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288777113 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288790941 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288803101 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288825989 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288830042 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288842916 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288844109 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288863897 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288865089 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288875103 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.288877964 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288896084 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.288906097 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293037891 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293082952 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293091059 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293095112 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293107033 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293138027 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293167114 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293169022 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293179989 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293201923 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293215990 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293227911 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293230057 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293251038 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293262959 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293275118 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293278933 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293288946 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293292999 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293309927 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293313980 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293335915 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293338060 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293356895 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.293407917 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293426037 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293438911 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293459892 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293469906 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293508053 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293519020 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293557882 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293570995 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293646097 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293699026 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293725014 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293735027 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293746948 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293761969 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293782949 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293800116 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293833017 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293843985 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293854952 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293865919 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293888092 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293899059 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293920040 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293931961 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293976068 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.293987989 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294045925 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294058084 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294069052 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294161081 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.294172049 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294183969 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294195890 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294209003 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294210911 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.294219971 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294233084 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294244051 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294265032 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294276953 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294289112 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294300079 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294312954 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294323921 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294336081 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294358969 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294370890 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294383049 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294393063 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294414997 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294426918 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294439077 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294461012 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294471979 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.294483900 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.297954082 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.297976971 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298032045 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298085928 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298167944 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298188925 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298201084 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298249960 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298261881 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298273087 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298293114 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298304081 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298377991 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298389912 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298403025 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298415899 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298506021 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298516989 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298547029 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298558950 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298579931 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298599005 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298610926 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.298621893 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299256086 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299333096 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299345016 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299379110 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299390078 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299443960 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299454927 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.299467087 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299510956 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.299513102 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299529076 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299590111 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299601078 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299649000 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299659967 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299689054 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299700022 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299746990 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299758911 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299783945 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299794912 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299822092 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299834013 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299859047 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299870014 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299890041 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299901009 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299931049 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299942017 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299954891 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299985886 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.299997091 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300024033 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300035000 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300050020 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300075054 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300086021 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300129890 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300141096 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300175905 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300188065 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300211906 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300223112 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300268888 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300280094 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300329924 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300350904 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300375938 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300386906 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300406933 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300421000 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300455093 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300472975 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300483942 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.300503969 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.302403927 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.302582026 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.302625895 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.304359913 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304372072 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304404974 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304416895 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304447889 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304506063 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304517031 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304529905 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304552078 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304563046 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304617882 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304629087 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304649115 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304665089 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304722071 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304742098 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304821968 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.304832935 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305032969 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305046082 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305113077 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305124998 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305159092 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305170059 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305259943 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305275917 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305296898 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305308104 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305352926 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305417061 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305429935 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305449963 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305460930 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305483103 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305495024 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305557013 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305568933 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305583000 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305597067 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305629969 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305644035 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305655003 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305762053 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305775881 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305829048 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305840015 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305867910 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305880070 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305900097 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305911064 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305972099 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305984020 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.305995941 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307442904 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307491064 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307607889 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.307635069 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307647943 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307667017 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.307670116 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307681084 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307694912 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307715893 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307769060 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307832003 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307859898 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307872057 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307962894 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.307976007 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308031082 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308042049 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308087111 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308119059 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308199883 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308218956 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308260918 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308273077 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308301926 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308315039 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308394909 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308406115 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308442116 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308453083 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308474064 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308485985 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308507919 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308532953 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308562994 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308574915 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308597088 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308608055 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308649063 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308660984 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308691978 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308702946 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308717012 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308756113 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308779955 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308792114 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308810949 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308823109 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308851004 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308914900 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308957100 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308968067 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.308996916 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.309007883 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.309025049 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312556028 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312616110 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312628984 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312714100 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.312731028 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312741995 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312757969 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312762022 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.312768936 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312797070 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312808037 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312834024 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312844992 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312877893 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312889099 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312906981 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312959909 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312988043 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.312999964 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313092947 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313105106 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313117027 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313128948 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313148975 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313164949 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313177109 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313189983 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313215971 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313227892 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313251019 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313261032 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313292027 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313304901 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313324928 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313335896 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313361883 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313373089 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313393116 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313426971 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313452005 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313463926 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313477039 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313553095 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313579082 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313590050 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313601971 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313612938 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313644886 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313657045 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313682079 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313694000 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313743114 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313754082 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313772917 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.313823938 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317600965 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317614079 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317629099 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317647934 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317684889 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317764997 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317764044 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.317797899 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317809105 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317811966 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.317836046 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317851067 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317919970 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317930937 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317967892 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.317980051 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.318093061 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.318104029 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.318706989 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.318718910 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.319039106 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.319055080 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.319330931 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.319343090 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.319711924 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.319850922 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320152998 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320205927 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320216894 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320229053 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320250034 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320261002 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320287943 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320300102 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320312023 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320322990 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320344925 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320357084 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320369005 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320379972 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320391893 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320403099 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320415020 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320426941 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320437908 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320449114 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320460081 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320471048 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320482016 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320493937 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320506096 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320517063 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320529938 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320540905 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.320554972 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.323131084 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.323276997 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.323343039 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.370004892 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:31.370182991 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.370265961 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.370265961 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.370292902 CET	49711	6677	192.168.2.12	4.251.123.83
Nov 12, 2024 14:51:31.421494007 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:32.211098909 CET	6677	49711	4.251.123.83	192.168.2.12
Nov 12, 2024 14:51:32.219602108 CET	49711	6677	192.168.2.12	4.251.123.83

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 14:51:41.782238007 CET	53	59492	1.1.1.1	192.168.2.12

Target ID:	1
Start time:	08:51:23
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\xMYbN0Yd2a.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\xMYbN0Yd2a.exe"
Imagebase:	0x10000
File size:	743'424 bytes
MD5 hash:	E4CF78746E4D0F16F1C75E2B92F87D4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000000.2464452720.0000000000012000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.2464452720.0000000000012000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.2540695600.0000000002340000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2540695600.000000000235D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	22.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFE167321FF Relevance: 1.7, APIs: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE ref: 00007FFE167322EA

Memory Dump Source

Source File: 00000001.00000002.2557460051.00007FFE16730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16730000_xMYbN0Yd2a.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c6efac401fdf93587dff794b5292c292edffa899deacdfd4af79619d11027fa4
Instruction ID: acb76aebf152e0a6e1a8e7c591d1c3a6830ac3433a52b5a7fd3bbd435380a8c8
Opcode Fuzzy Hash: c6efac401fdf93587dff794b5292c292edffa899deacdfd4af79619d11027fa4
Instruction Fuzzy Hash: 77416D31D18B1C8FDB58EF5898456EDB7E1FB98310F00826AD40DE7255CB74A855CBC2

Function 00007FFE16510F47 Relevance: 1.4, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r69t, xrefs: 00007FFE165110A4

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID: r69t
API String ID: 0-2574784182
Opcode ID: 5be8aad886e789c2e2222f67a4d87a516abd715b5bf9fe945f96f2350e3d7022
Instruction ID: bc1303364bf0f959a855cbf80d1d666e1bae085524e63eca290bd01efdc988a0
Opcode Fuzzy Hash: 5be8aad886e789c2e2222f67a4d87a516abd715b5bf9fe945f96f2350e3d7022
Instruction Fuzzy Hash: 6D815174A05A1C8FCB94EB18C898BA8B7B2FF59301F5441E9D14DE7265CB31AD81CF44

Function 00007FFE165115D6 Relevance: 1.4, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

k<N_^, xrefs: 00007FFE16511674

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID: k<N_^
API String ID: 0-2480326054
Opcode ID: f16895722aae7db5d67d14b1178ece84a9282c628df1ec5d078307b038e1979c
Instruction ID: 12e3a6ad26c16dff9ceb13954e272596c5b174e268081b3dd088a04905dbc650
Opcode Fuzzy Hash: f16895722aae7db5d67d14b1178ece84a9282c628df1ec5d078307b038e1979c
Instruction Fuzzy Hash: C951A474A09A198FDBA8DF58C494AACB7B2FF58300F5041E9D40EE72A5CB35AD81CF00

Function 00007FFE165E04FF Relevance: 1.3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X<t, xrefs: 00007FFE165E054B

Memory Dump Source

Source File: 00000001.00000002.2556161619.00007FFE165E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE165E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe165e0000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID: X<t
API String ID: 0-62826456
Opcode ID: 5c16c2644b3e368ae0db80bda62b434be27928f6cb2c9ea85a03be6095d3b54d
Instruction ID: fe5796f417063669d8d1d61812a15d8554fae77a4b080a1cff45e948513f9e24
Opcode Fuzzy Hash: 5c16c2644b3e368ae0db80bda62b434be27928f6cb2c9ea85a03be6095d3b54d
Instruction Fuzzy Hash: 40F0F871628E489FDB98EB1C8468A3577E2FBAC721B55066AA41DD33A1CE20EC448745

Function 00007FFE165117E2 Relevance: 1.3, Strings: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0#Ct, xrefs: 00007FFE16511832

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID: 0#Ct
API String ID: 0-1733850855
Opcode ID: 36018f5ce6a9f02d9893d399ce472606ce67c5e6617a6251a4d30bf5e94ae936
Instruction ID: 69b3bf3a0c8c37870ed21b949926cd56a82d96aad0b84a39c4040fea60b9e962
Opcode Fuzzy Hash: 36018f5ce6a9f02d9893d399ce472606ce67c5e6617a6251a4d30bf5e94ae936
Instruction Fuzzy Hash: 26F0AF35A08A2C8FDFA6EB18C894AA877F5FB69700F1400D5904CE7261CA70AFC1CF81

Function 00007FFE165E2292 Relevance: .3, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2556161619.00007FFE165E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE165E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe165e0000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0232c9cfdfc7d1ef997c99aaf3a644c3aaf0ee430691d88c091004a59b2c5711
Instruction ID: 2b6599888a0b2175b25d6e42040aacf02aec52be596ef7dde4c1ccf781b25599
Opcode Fuzzy Hash: 0232c9cfdfc7d1ef997c99aaf3a644c3aaf0ee430691d88c091004a59b2c5711
Instruction Fuzzy Hash: B3719130B1CE494FEB99D72DD455678B7D2EF99320B1445BAD08EC72A7CE28AC428781

Function 00007FFE165E1BCE Relevance: .2, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2556161619.00007FFE165E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE165E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe165e0000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb27c0eb28fb7a3ca6aa1ecd4500dc09d95ece0ad7ca6b5849aaa5f1aff1ac5
Instruction ID: 5de32e7fadd4b5d661fb412ac446ccf84aab379e94e54f734f02579bc0c35160
Opcode Fuzzy Hash: 5cb27c0eb28fb7a3ca6aa1ecd4500dc09d95ece0ad7ca6b5849aaa5f1aff1ac5
Instruction Fuzzy Hash: AB419E20B1CD498FEBA8D72CD4587B4B7E2EF99321F1444BAD44EC72B2DD29AC428741

Function 00007FFE16510E0F Relevance: .1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50e3296a453183acc1ba45a247bdacc1d3dbb6e765cfbc04a534f6a3b20ccf7
Instruction ID: f49f3b92da0edd3943a1a5d2e438852d4c49d57b0c27c3ba5065a430004c795e
Opcode Fuzzy Hash: d50e3296a453183acc1ba45a247bdacc1d3dbb6e765cfbc04a534f6a3b20ccf7
Instruction Fuzzy Hash: E841D674A05A1D8FDB98EF18D498BA9B7B2FB58310F1045E9D40EE72A1DB35AD84CF40

Function 00007FFE16512F4F Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85eb8369555785a97631cbd84837052f728e27e12afb956d7fbdb2be750ac49
Instruction ID: 3795d14bc132fc4da030c6d8160b4db9055430b6eab7e0e4bca447a809f88ff1
Opcode Fuzzy Hash: c85eb8369555785a97631cbd84837052f728e27e12afb956d7fbdb2be750ac49
Instruction Fuzzy Hash: 1B311930918A5E8FDB54EF68C855AEE7BF1FF58301F0005BAE419E32A1DB35A550CB81

Function 00007FFE165E0380 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2556161619.00007FFE165E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE165E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe165e0000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914540a96338ff758e954d8939681bfb542e8cc6581c5b4d76cddf8b568bbedc
Instruction ID: 6b1b916efeb7dc2148a7b70e24e40058bce4a212653a86857473020ae291daf5
Opcode Fuzzy Hash: 914540a96338ff758e954d8939681bfb542e8cc6581c5b4d76cddf8b568bbedc
Instruction Fuzzy Hash: CF21B03071CD094FDB68E61DD849A7AB3D2EB99331B14077EE40EC32A6DD24AC4282C5

Function 00007FFE16510AA2 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b29f294b4c420f0d247b91c350960ea0c877cfdfc93d065c3e727ff0807853
Instruction ID: 20535156a03b7cb433fa9b7453de35f7b59fbf93e9823dd3f63d92ea74e1c305
Opcode Fuzzy Hash: 23b29f294b4c420f0d247b91c350960ea0c877cfdfc93d065c3e727ff0807853
Instruction Fuzzy Hash: C121607190CF898EE391CF18C8593A97FE1FBA6728F1400AAC05DD76DACB792415C740

Function 00007FFE16512CD7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39b6cc7cf9abed4f0a5a223a79e8f0e1e5b2ac6d9d3182fedc8246c40edcf1dd
Instruction ID: 23204d8f84d5be7bf7c0fa1d74ce9a55f65c982ae84734b210d04ba840f946cc
Opcode Fuzzy Hash: 39b6cc7cf9abed4f0a5a223a79e8f0e1e5b2ac6d9d3182fedc8246c40edcf1dd
Instruction Fuzzy Hash: CD11E17090DA889FDB59DF24C868AA97FB1FF21314F0840EED409C70A2CB29E594C701

Function 00007FFE165132A8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0584fcca1513d2edb9575f02a438d70c81cd3ff18b739b1b9ada04a493076d7
Instruction ID: fffa2dc305f8bd1cecde3b90e53dc21a181b3f15f71705b2e3e33288bfa96cba
Opcode Fuzzy Hash: e0584fcca1513d2edb9575f02a438d70c81cd3ff18b739b1b9ada04a493076d7
Instruction Fuzzy Hash: 3311FA71D18A5D8FEBA4EB28C8557E8B7B2FB58311F4004B9D00DE2692CF785984CB40

Function 00007FFE16511F71 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802044cde94cd7e438db7ce7c00746615784ff29a56133bfe1be1fbb456323c
Instruction ID: fcad3e6f7e2ebc1025ac79c6d9bcd8620438815be48a5d23c4551b8c14c2336f
Opcode Fuzzy Hash: e802044cde94cd7e438db7ce7c00746615784ff29a56133bfe1be1fbb456323c
Instruction Fuzzy Hash: EB11A874A18A1D8FCFA9DB18C894AA873B6FF59301F1045E9D00DE7261CB75AE80CF40

Function 00007FFE16512FA0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9e005d4783699267bab14b7e4de7db882dc580604a0924e07528907e8e5b8e
Instruction ID: 087aa235b96ec3b8ed0237f6946d786665cf37e975e00692092f5126a9ba9240
Opcode Fuzzy Hash: 4c9e005d4783699267bab14b7e4de7db882dc580604a0924e07528907e8e5b8e
Instruction Fuzzy Hash: 1B01E930918A4D9FDF84EF68C859AEA7BF1FF28305F00056AE419D3260DB30A554CB81

Function 00007FFE16513775 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d3b0736c97c199393a2df91069ab6a8b78c10b9df8eed67f9570342a600f0f
Instruction ID: 6c21781e74752a0811d72ef6aa78a80c207bdb5b964db15c07466f9caebac3f0
Opcode Fuzzy Hash: 71d3b0736c97c199393a2df91069ab6a8b78c10b9df8eed67f9570342a600f0f
Instruction Fuzzy Hash: 2A017170908A4D8FCF85EF58C858AED7BF0FF68300F4005AAD419D7261DB309554CB80

Function 00007FFE16512EE0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72fecdc21c5da6a0f082724e05c2f0b8380c135b9d90ca4abb340ef818d35529
Instruction ID: dac551294fa6f5faa913368eac7e18467f655f111bf439c0294331420a3491cf
Opcode Fuzzy Hash: 72fecdc21c5da6a0f082724e05c2f0b8380c135b9d90ca4abb340ef818d35529
Instruction Fuzzy Hash: 5401D630914A4D9FDF84EF68C849AEE7BF1FB68305F1045AAE819D3260DB70A590CB81

Function 00007FFE1651185F Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f25281219ba169e46e6857a2eaba568b83a46e667c9731b17c400f6eaae56b
Instruction ID: c1cd97784ad5f57f17fd4748832ce3b3d537ed53cfa3fdfa33f46b3754e842ff
Opcode Fuzzy Hash: 19f25281219ba169e46e6857a2eaba568b83a46e667c9731b17c400f6eaae56b
Instruction Fuzzy Hash: 4B015970909A1D8FDFA9EB18C894AA8B7B9FB59741F1011E9D00DE7261DB71AE80CF40

Function 00007FFE16512F08 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121ad0414e560e310bc3bdce23b21b44704ab8858cb5e7dc353b191f9317118c
Instruction ID: 120c93c0fcf081f53aeddfbeaf4c7c578f6e906c4a70eeca7d879190d7294ae1
Opcode Fuzzy Hash: 121ad0414e560e310bc3bdce23b21b44704ab8858cb5e7dc353b191f9317118c
Instruction Fuzzy Hash: DD01BB7091495D8FDF84EF58C888AAE77F1FB68305F1045AAE41DD3664DB31A590CB80

Function 00007FFE16513790 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d8a379a7d5fc211444e57aa39cf96db5b615be0e5565e044b609e4a7657fbd
Instruction ID: a0a6c42a4bfa0e70e80e02acb92917c71676422d80b11cadbeef644d445ea877
Opcode Fuzzy Hash: 86d8a379a7d5fc211444e57aa39cf96db5b615be0e5565e044b609e4a7657fbd
Instruction Fuzzy Hash: DA01EC7091495D8FDF84EF68C848AEEBBF0FF68305F00056AE419D3260DB709694CB80

Function 00007FFE16511E4F Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb302c3e2802f12fe67636707d8204ef0ffd3f169310705ed612d452fa9a3d0e
Instruction ID: 993044e6b1849c0858158fd64e834a9adc696d30ebf7948f639f9700a87581cd
Opcode Fuzzy Hash: fb302c3e2802f12fe67636707d8204ef0ffd3f169310705ed612d452fa9a3d0e
Instruction Fuzzy Hash: F0F0AF34C0CB0A8FDB798A05C85127833F7EF85322F0009F8E45D926A0DB396E42CA90

Function 00007FFE165E06EF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2556161619.00007FFE165E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE165E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe165e0000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71b79ba28e66a5933f65724f3eab6a681456468e6d3afa0031fa6f1a7901f67
Instruction ID: a531445e4b354532d75865f69c9217b13fc194822ae3c56c22c866ff37ea77ca
Opcode Fuzzy Hash: a71b79ba28e66a5933f65724f3eab6a681456468e6d3afa0031fa6f1a7901f67
Instruction Fuzzy Hash: 12F05831708E198FDB98DB0CD458A38B7D2EBEC321B1A026AD40DC3364CE30A8918700

Function 00007FFE16510818 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd9fd4d52ca0d5195cc10c690ecc09f517ea9d6889653befcf2d4c862cd2f45
Instruction ID: 80949f26b2e3245aa2ef6ad2d19a9189277dbd225e303f0d8290e71b1a638f76
Opcode Fuzzy Hash: 8cd9fd4d52ca0d5195cc10c690ecc09f517ea9d6889653befcf2d4c862cd2f45
Instruction Fuzzy Hash: FFF0A97491495DCFDB84EF58C848AAEB7F0FF58304F0049A9E42DD7260DB70AA50CB41

Function 00007FFE165E211C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2556161619.00007FFE165E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE165E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe165e0000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95bd0b9ffebf8062da72731a211480e0b7194cb0178d06d25d4e79cff3872de
Instruction ID: cf9f261c716814570924f5380778ca7728f6c25d86c80969beda84d479d8325c
Opcode Fuzzy Hash: d95bd0b9ffebf8062da72731a211480e0b7194cb0178d06d25d4e79cff3872de
Instruction Fuzzy Hash: 22F01C31618E088FDB98DB1C8459B3A77E2FBEC751B59056EA44DC33A1DE21DC448741

Function 00007FFE1651220F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db45a048adb60223fbf7e0d3524af46310ba410f8f0530d85b60deec173ce2ad
Instruction ID: eb48eeae282499a75a2506e4378c2ad5cebee1676e146d1de33aea0c3fa37cd9
Opcode Fuzzy Hash: db45a048adb60223fbf7e0d3524af46310ba410f8f0530d85b60deec173ce2ad
Instruction Fuzzy Hash: B5F0A934918A5DCFDF84EF58C848AADB7F0FF59300F0005A9E429D7260DB709954CB41

Function 00007FFE16512D68 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd921fe59e44ea7d1b72340168fb813b6299e2fc3fe8845f0c6a36d7aa5345a
Instruction ID: b143a66247d0777540dd694f89835a7c9ba98d884e169aebb17991fcc457ee42
Opcode Fuzzy Hash: 3cd921fe59e44ea7d1b72340168fb813b6299e2fc3fe8845f0c6a36d7aa5345a
Instruction Fuzzy Hash: DCF0303581498D9FDF58EF18C498AA97BF0FF54305F0044E9E40AD21A0DB719594CB40

Function 00007FFE16512D70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43bc2a38f4815a8590aba866327d08e187c07aee758a23983c914ae0c544d097
Instruction ID: 5de1e0531def7abdc4c6802a7fa0aee900f64eb85c9cd210891f88b46f626e52
Opcode Fuzzy Hash: 43bc2a38f4815a8590aba866327d08e187c07aee758a23983c914ae0c544d097
Instruction Fuzzy Hash: 4FF0FE3081494C9FDF48EF58C458AA9B7F0FF58305F0044AAE41DC31A0DB319594CB41

Function 00007FFE165E07CE Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2556161619.00007FFE165E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE165E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe165e0000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a80aebcc2a3893eda896e8b7f3bc0550e2492d45e59413d6e5a66734c97076b
Instruction ID: eaa90bad80b344072b6c5e4d8d82ba786d815955cc4c8b592636fc8454794c45
Opcode Fuzzy Hash: 3a80aebcc2a3893eda896e8b7f3bc0550e2492d45e59413d6e5a66734c97076b
Instruction Fuzzy Hash: 65F0DA30218D099FCF94EB19C068E28B7E2EB98311B58459DD00EC76A1CA24EC91CB81

Function 00007FFE165E2301 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2556161619.00007FFE165E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE165E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe165e0000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9ef7ffe1241748a6a32b2757f8400996e1330eb61da30949be2d58570dbd58
Instruction ID: 8e5543e6ce82d3903184204b1aeb120f60c8c8225c071c30cea47ddd31a9b002
Opcode Fuzzy Hash: ff9ef7ffe1241748a6a32b2757f8400996e1330eb61da30949be2d58570dbd58
Instruction Fuzzy Hash: 9EE0E571718E198FEBD8DB0CC459B29BBD2FBAC361B89466AA48DC3364CA34DC018744

Function 00007FFE16510875 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1daa1960014b573b724817bd8136064562a53a55c6e96a61d1f47f89068eb9b
Instruction ID: 2f087b120231d5788005ed186fd3f6b968daf19a3fd9079147d456f2dfe8c3a0
Opcode Fuzzy Hash: d1daa1960014b573b724817bd8136064562a53a55c6e96a61d1f47f89068eb9b
Instruction Fuzzy Hash: 1DE0652155D7C99FD71722A998110B43F319F43214F0A08F3E488C64F3DD181928C363

Function 00007FFE16513332 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0083234aa76b5c951e1e8679220bd87bbcc28c4a7dc27165724f422521a86fea
Instruction ID: 4fe2f79aec58b26d81e05353c059dd9af1754f5f49f7f379e95176c4a467dd47
Opcode Fuzzy Hash: 0083234aa76b5c951e1e8679220bd87bbcc28c4a7dc27165724f422521a86fea
Instruction Fuzzy Hash: C0F0A27192491D8FDBA4DB28C851BA9B7B2FF95300F9145E9D01DE32A6CA34AD848F50

Function 00007FFE16510D01 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86648eb1416491141b9a44f8a03ae52094d37b021ebe24829c4e82be3ac78477
Instruction ID: 63212b71bbe6a39155c2ac40a6eac6314b8927aa86b5937c1a647bf3a77a5d9c
Opcode Fuzzy Hash: 86648eb1416491141b9a44f8a03ae52094d37b021ebe24829c4e82be3ac78477
Instruction Fuzzy Hash: 47E0926292C7C94FE359AB34855A2AC7FA1AF54311F4508FAD114CA1E3DE2C6448C702

Function 00007FFE1651279C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c1989639b58cfe1ab4755eb7b115e9a0b93d2a54ea946ab1753fc12d7bbeac
Instruction ID: 1150f9a3728d09e18c4d3244524b753eb8b84db7e76065c97796ae12c504877e
Opcode Fuzzy Hash: f9c1989639b58cfe1ab4755eb7b115e9a0b93d2a54ea946ab1753fc12d7bbeac
Instruction Fuzzy Hash: 9DE0E63062494A4FE384FF24C8A97FD62A2FF48300F5008B9E41DC75F2CE256841CB40

Function 00007FFE1651320B Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae67074e179399e5056462c1200109dd55fb4d7609309c6f66078405255d87f2
Instruction ID: ffc143ab17d64ba772bc993a38c7e1eb7ff551ee694c8a8f179f54833f13a19e
Opcode Fuzzy Hash: ae67074e179399e5056462c1200109dd55fb4d7609309c6f66078405255d87f2
Instruction Fuzzy Hash: 7DD01772C2890DAEDB00EB64C8115EDBA72BF54240F5044A2E42DD61B6DF34AA898A40

Function 00007FFE16510D74 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4713f771fcff6bc1f7a05d6c8658a328a96cf13ca6e1a53ac7341952d5a4caed
Instruction ID: 3b17b53e8287bd29d26a1e63264825ad65c40333739fe143ca5e2465b552c30b
Opcode Fuzzy Hash: 4713f771fcff6bc1f7a05d6c8658a328a96cf13ca6e1a53ac7341952d5a4caed
Instruction Fuzzy Hash: E3D0923191480DABEB84EB94D4891ED7BB5EF48201F1010A6E44ED2162DF356A528B41

Function 00007FFE16510DCB Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4482e71d2eb84cdd9d21d1b43bcc5c351bb2971099c5d6a4915e08dc31d23f22
Instruction ID: ba564f461797f68a01002ace39a70682a2081416af6c60bb2f3c53f76cb483aa
Opcode Fuzzy Hash: 4482e71d2eb84cdd9d21d1b43bcc5c351bb2971099c5d6a4915e08dc31d23f22
Instruction Fuzzy Hash: F6D0A736C055885ECF41AF2094100FD7BB5EF4A210F1500E6D46CC3253ED301D158750

Function 00007FFE165127E0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2555687079.00007FFE16510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE16510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe16510000_xMYbN0Yd2a.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f07f0bd29a22a2e14d830534fc865e898a05edcb0c902e7384d74410822455
Instruction ID: 8234a5cf86798d19b5525253e6171926ac03aa24c35d33be4d74fba5dafeffb2
Opcode Fuzzy Hash: 90f07f0bd29a22a2e14d830534fc865e898a05edcb0c902e7384d74410822455
Instruction Fuzzy Hash: 8AC08C217289020BF648B360C0626FD80029F80700B508CBEE02A814F7CD1CA8018310

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xMYbN0Yd2a.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
xMYbN0Yd2a.exe

Function 00007FFE167321FF Relevance: 1.7, APIs: 1, Instructions: 153
fileCOMMON

Function 00007FFE16510F47 Relevance: 1.4, Strings: 1, Instructions: 188
COMMON

Function 00007FFE165115D6 Relevance: 1.4, Strings: 1, Instructions: 125
COMMON

Function 00007FFE165E04FF Relevance: 1.3, Strings: 1, Instructions: 36
COMMON

Function 00007FFE165117E2 Relevance: 1.3, Strings: 1, Instructions: 27
COMMON

Function 00007FFE165E2292 Relevance: .3, Instructions: 262
COMMON

Function 00007FFE165E1BCE Relevance: .2, Instructions: 153
COMMON

Function 00007FFE16510E0F Relevance: .1, Instructions: 126
COMMON