Edit tour

Windows Analysis Report
KBvv1g0Ihn.exe

Overview

General Information

Sample name:	KBvv1g0Ihn.exe renamed because original name is a hash value
Original sample name:	88304d367179a59758a8f4517f37cb7f03f4ec447658ab93f0d1fbe59268a904.exe
Analysis ID:	1554439
MD5:	49a5ac0f7efb1a9d8435d4f92b07dd45
SHA1:	3481320c4a63359ba1eb56a54aa991fc38dc9cdc
SHA256:	88304d367179a59758a8f4517f37cb7f03f4ec447658ab93f0d1fbe59268a904
Tags:	4-251-123-83exeuser-JAMESWT_MHT
Infos:

Detection

Meduza Stealer, PureLog Stealer, RedLine, zgRAT

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Meduza Stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Use Short Name Path in Command Line

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

KBvv1g0Ihn.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\KBvv1g0Ihn.exe" MD5: 49A5AC0F7EFB1A9D8435D4F92B07DD45)

KBvv1g0Ihn.tmp (PID: 3216 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp" /SL5="$10432,41796246,816128,C:\Users\user\Desktop\KBvv1g0Ihn.exe" MD5: 96E71B42AF1B612788D51E0486213741)

build.exe (PID: 7784 cmdline: "C:\Users\user\AppData\Local\Programs\Xavier1\build.exe" MD5: C9B68B9567CC9067794E32999C02BFA7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "4.251.123.83:6677"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c19:$s1: file:/// 0x45b51:$s2: {11111-22222-10009-11112} 0x45ba9:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c2b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Memory Dumps

Source	Rule	Description	Author
0000000C.00000000.1722289341.0000000000152000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000000.1722289341.0000000000152000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000C.00000002.1819024150.000000000262D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: build.exe PID: 7784	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: build.exe PID: 7784	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: build.exe PID: 7784	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.0.build.exe.150000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
12.0.build.exe.150000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.0.build.exe.150000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
12.0.build.exe.150000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45c19:$s1: file:/// 0x45b51:$s2: {11111-22222-10009-11112} 0x45ba9:$s3: {11111-22222-50001-00000} 0x423fa:$s4: get_Module 0x42864:$s5: Reverse 0x45226:$s6: BlockCopy 0x42c23:$s7: ReadByte 0x45c2b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp" /SL5="$10432,41796246,816128,C:\Users\user\Desktop\KBvv1g0Ihn.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp" /SL5="$10432,41796246,816128,C:\Users\user\Desktop\KBvv1g0Ihn.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp, ParentCommandLine: "C:\Users\user\Desktop\KBvv1g0Ihn.exe", ParentImage: C:\Users\user\Desktop\KBvv1g0Ihn.exe, ParentProcessId: 6632, ParentProcessName: KBvv1g0Ihn.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp" /SL5="$10432,41796246,816128,C:\Users\user\Desktop\KBvv1g0Ihn.exe" , ProcessId: 3216, ProcessName: KBvv1g0Ihn.tmp

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:56:32.469551+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.7	49730	TCP
2024-11-12T14:57:11.560317+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.7	49919	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:57:05.019107+0100	2046056	1	A Network Trojan was detected	4.251.123.83	6677	192.168.2.7	49895	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T14:57:04.503004+0100	2046045	1	A Network Trojan was detected	192.168.2.7	49895	4.251.123.83	6677	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: build.exe.7784.12.memstrmin

Malware Configuration Extractor: RedLine {"C2 url": "4.251.123.83:6677"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe (copy)	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: KBvv1g0Ihn.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.4% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp

Joe Sandbox ML: detected

Source: KBvv1g0Ihn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.The MIT License (MIT)Copyright (c) 2011-2024 The Bootstrap AuthorsPermission is hereby granted free of charge to any person obtaining a copyof this software and associated documentation files (the "Software") to dealin the Software without restriction including without limitation the rightsto use copy modify merge publish distribute sublicense and/or sellcopies of the Software and to permit persons to whom the Software isfurnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included inall copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS ORIMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITYFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHERLIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROMOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.The MIT License (MIT)Copyright (c) 2011-2024 The Bootstrap AuthorsPermission is hereby granted free of charge to any person obtaining a copyof this software and associated documentation files (the "Software") to dealin the Software without restriction including without limitation the rightsto use copy modify merge publish distribute sublicense and/or sellcopies of the Software and to permit persons to whom the Software isfurnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included inall copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS ORIMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITYFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHERLIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROMOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.The MIT License (MIT)Copyright (c) 2011-2024 The Bootstrap AuthorsPermission is hereby granted free of charge to any person obtaining a copyof this software and associated documentation files (the "Software") to dealin the Software without restriction including without limitation the rightsto use copy modify merge publish distribute sublicense and/or sellcopies of the Software and to permit persons to whom the Software isfurnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included inall copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS ORIMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITYFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHERLIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROMOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.I &accept the agreementI &do not accept the agreement&NextCancel

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E7AB5A61-4710-401C-A801-32A06671F356}_is1

Jump to behavior

Source: KBvv1g0Ihn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: is-K1FQL.tmp.5.dr
Source:	Binary string: Eazfuscator.NET.Integration.VisualStudio.pdb source: is-NH14E.tmp.5.dr
Source:	Binary string: w. a.PdB source: KBvv1g0Ihn.exe
Source:	Binary string: Eazfuscator.NET.Integration.VisualStudio.pdbPK source: is-NH14E.tmp.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\uica.pdb source: is-NH14E.tmp.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\wixca.pdb source: is-NH14E.tmp.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: is-NH14E.tmp.5.dr
Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: is-K1FQL.tmp.5.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.7:49895 -> 4.251.123.83:6677
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 4.251.123.83:6677 -> 192.168.2.7:49895

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 4.251.123.83:6677

Source: global traffic

TCP traffic: 192.168.2.7:49895 -> 4.251.123.83:6677

Source: Joe Sandbox View

IP Address: 4.251.123.83 4.251.123.83

Source: Joe Sandbox View

ASN Name: LEVEL3US LEVEL3US

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49730
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49919

Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83
Source: unknown	TCP traffic detected without corresponding DNS query: 4.251.123.83

Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: build.exe, 0000000C.00000002.1852096121.000000001B6A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: build.exe, 0000000C.00000002.1852096121.000000001B6A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb5 equals www.youtube.com (Youtube)
Source: build.exe, 0000000C.00000002.1819024150.0000000002911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: uC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: build.exe, 0000000C.00000002.1819024150.0000000002911000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: uC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldbh equals www.youtube.com (Youtube)

Source: is-K1FQL.tmp.5.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-NH14E.tmp.5.dr, is-K1FQL.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-K1FQL.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-NH14E.tmp.5.dr, is-K1FQL.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-NH14E.tmp.5.dr, is-K1FQL.tmp.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: is-NH14E.tmp.5.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: is-NH14E.tmp.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: is-NH14E.tmp.5.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-NH14E.tmp.5.dr, is-K1FQL.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-K1FQL.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-NH14E.tmp.5.dr, is-K1FQL.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: is-K1FQL.tmp.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-K1FQL.tmp.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: is-NH14E.tmp.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: is-NH14E.tmp.5.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: is-NH14E.tmp.5.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-K1FQL.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-NH14E.tmp.5.dr, is-K1FQL.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-NH14E.tmp.5.dr, is-K1FQL.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-NH14E.tmp.5.dr, is-K1FQL.tmp.5.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: is-NH14E.tmp.5.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: build.exe, 0000000C.00000002.1819024150.000000000262D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1
Source: build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field1Response
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2
Source: build.exe, 0000000C.00000002.1819024150.000000000262D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field2Response
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3
Source: build.exe, 0000000C.00000002.1819024150.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/example/Field3Response
Source: KBvv1g0Ihn.tmp, 00000005.00000002.1739500813.0000000000D0C000.00000004.00000010.00020000.00000000.sdmp, is-K1FQL.tmp.5.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: build.exe, 0000000C.00000002.1819024150.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: build.exe, 0000000C.00000002.1819024150.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: KBvv1g0Ihn.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: is-NH14E.tmp.5.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: is-NH14E.tmp.5.dr	String found in binary or memory: https://www.gapotchenko.com/eazfuscator.net
Source: build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: KBvv1g0Ihn.exe, 00000000.00000003.1268008460.000000007FAAB000.00000004.00001000.00020000.00000000.sdmp, KBvv1g0Ihn.exe, 00000000.00000003.1266707119.0000000003120000.00000004.00001000.00020000.00000000.sdmp, KBvv1g0Ihn.tmp, 00000005.00000000.1269529793.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, KBvv1g0Ihn.tmp.0.dr, is-3HDQ6.tmp.5.dr	String found in binary or memory: https://www.innosetup.com/
Source: KBvv1g0Ihn.exe, 00000000.00000003.1268008460.000000007FAAB000.00000004.00001000.00020000.00000000.sdmp, KBvv1g0Ihn.exe, 00000000.00000003.1266707119.0000000003120000.00000004.00001000.00020000.00000000.sdmp, KBvv1g0Ihn.tmp, 00000005.00000000.1269529793.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, KBvv1g0Ihn.tmp.0.dr, is-3HDQ6.tmp.5.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.0.build.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC53C50A	12_2_00007FFAAC53C50A
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC539BA1	12_2_00007FFAAC539BA1
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC5316B3	12_2_00007FFAAC5316B3
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC53A450	12_2_00007FFAAC53A450
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC68F4CD	12_2_00007FFAAC68F4CD
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC68269B	12_2_00007FFAAC68269B
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC6921DB	12_2_00007FFAAC6921DB
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC690B26	12_2_00007FFAAC690B26

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe (copy) 8DBCECF4F09CDB10EF4F2AC2AC3F66A28D148A63A381877F413CD5F5B39DB4E0
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp 8DBCECF4F09CDB10EF4F2AC2AC3F66A28D148A63A381877F413CD5F5B39DB4E0

Source: KBvv1g0Ihn.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-3HDQ6.tmp.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: is-3HDQ6.tmp.5.dr	Static PE information: Number of sections : 11 > 10
Source: KBvv1g0Ihn.exe	Static PE information: Number of sections : 11 > 10
Source: KBvv1g0Ihn.tmp.0.dr	Static PE information: Number of sections : 11 > 10

Source: KBvv1g0Ihn.exe, 00000000.00000000.1265124951.0000000000119000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs KBvv1g0Ihn.exe
Source: KBvv1g0Ihn.exe, 00000000.00000003.1268008460.000000007FD9B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs KBvv1g0Ihn.exe
Source: KBvv1g0Ihn.exe, 00000000.00000003.1266707119.000000000322F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs KBvv1g0Ihn.exe
Source: KBvv1g0Ihn.exe	Binary or memory string: OriginalFileName vs KBvv1g0Ihn.exe

Source: KBvv1g0Ihn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.0.build.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: is-NH14E.tmp.5.dr

Binary or memory string: ItemTemplates/VisualBasic/Eazfuscator.NET/1033/ObfuscationSettings.vb/ObfuscationSettings.vbPK

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@5/13@0/1

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe

File created: C:\Users\user~1\AppData\Local\Temp\is-PLHR2.tmp

Jump to behavior

Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: KBvv1g0Ihn.exe

ReversingLabs: Detection: 23%

Source: KBvv1g0Ihn.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe

File read: C:\Users\user\Desktop\KBvv1g0Ihn.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KBvv1g0Ihn.exe "C:\Users\user\Desktop\KBvv1g0Ihn.exe"
Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe	Process created: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp "C:\Users\user~1\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp" /SL5="$10432,41796246,816128,C:\Users\user\Desktop\KBvv1g0Ihn.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process created: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe "C:\Users\user\AppData\Local\Programs\Xavier1\build.exe"
Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe	Process created: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp "C:\Users\user~1\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp" /SL5="$10432,41796246,816128,C:\Users\user\Desktop\KBvv1g0Ihn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process created: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe "C:\Users\user\AppData\Local\Programs\Xavier1\build.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Xavier1.lnk.5.dr

LNK file: ..\..\..\..\..\Local\Programs\Xavier1\build.exe

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Automated click: I accept the agreement

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.The MIT License (MIT)Copyright (c) 2011-2024 The Bootstrap AuthorsPermission is hereby granted free of charge to any person obtaining a copyof this software and associated documentation files (the "Software") to dealin the Software without restriction including without limitation the rightsto use copy modify merge publish distribute sublicense and/or sellcopies of the Software and to permit persons to whom the Software isfurnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included inall copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS ORIMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITYFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHERLIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROMOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.The MIT License (MIT)Copyright (c) 2011-2024 The Bootstrap AuthorsPermission is hereby granted free of charge to any person obtaining a copyof this software and associated documentation files (the "Software") to dealin the Software without restriction including without limitation the rightsto use copy modify merge publish distribute sublicense and/or sellcopies of the Software and to permit persons to whom the Software isfurnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included inall copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS ORIMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITYFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHERLIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROMOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.The MIT License (MIT)Copyright (c) 2011-2024 The Bootstrap AuthorsPermission is hereby granted free of charge to any person obtaining a copyof this software and associated documentation files (the "Software") to dealin the Software without restriction including without limitation the rightsto use copy modify merge publish distribute sublicense and/or sellcopies of the Software and to permit persons to whom the Software isfurnished to do so subject to the following conditions:The above copyright notice and this permission notice shall be included inall copies or substantial portions of the Software.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS ORIMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITYFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHERLIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROMOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.I &accept the agreementI &do not accept the agreement&NextCancel

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E7AB5A61-4710-401C-A801-32A06671F356}_is1

Jump to behavior

Source: KBvv1g0Ihn.exe

Static file information: File size 42744244 > 1048576

Source: KBvv1g0Ihn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb source: is-K1FQL.tmp.5.dr
Source:	Binary string: Eazfuscator.NET.Integration.VisualStudio.pdb source: is-NH14E.tmp.5.dr
Source:	Binary string: w. a.PdB source: KBvv1g0Ihn.exe
Source:	Binary string: Eazfuscator.NET.Integration.VisualStudio.pdbPK source: is-NH14E.tmp.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\uica.pdb source: is-NH14E.tmp.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\wixca.pdb source: is-NH14E.tmp.5.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: is-NH14E.tmp.5.dr
Source:	Binary string: C:\agent\_work\138\s\build\ship\x86\burn.pdb/ source: is-K1FQL.tmp.5.dr

Source: is-8C5DR.tmp.5.dr

Static PE information: 0xE3FEC0F4 [Mon Mar 19 06:19:32 2091 UTC]

Source: KBvv1g0Ihn.exe	Static PE information: section name: .didata
Source: KBvv1g0Ihn.tmp.0.dr	Static PE information: section name: .didata
Source: is-3HDQ6.tmp.5.dr	Static PE information: section name: .didata
Source: is-K1FQL.tmp.5.dr	Static PE information: section name: .wixburn

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC4663EE push ss; retf	12_2_00007FFAAC4663EF
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC465CB0 push edi; iretd	12_2_00007FFAAC465CB6
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC53CB4F push eax; retf	12_2_00007FFAAC53CB61
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Code function: 12_2_00007FFAAC532004 pushad ; retf	12_2_00007FFAAC532005

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	File created: C:\Users\user\AppData\Local\Programs\Xavier1\is-3HDQ6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe	File created: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	File created: C:\Users\user\AppData\Local\Temp\is-VNJ7M.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	File created: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	File created: C:\Users\user\AppData\Local\Programs\Xavier1\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	File created: C:\Users\user\AppData\Local\Programs\Xavier1\python-3.13.0-amd64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	File created: C:\Users\user\AppData\Local\Programs\Xavier1\is-K1FQL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	File created: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Key value created or modified: HKEY_CURRENT_USER_Classes\.exe\OpenWithProgids Xavier1File.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Key value created or modified: HKEY_CURRENT_USER_Classes\.exe\OpenWithProgids Xavier1File.exe			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Xavier1.lnk

Jump to behavior

Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KBvv1g0Ihn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: \QEMU-GA.EXE

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Memory allocated: 9E0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Memory allocated: 1A580000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Window / User API: threadDelayed 1353			Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Window / User API: threadDelayed 2106			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Xavier1\is-3HDQ6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VNJ7M.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Xavier1\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Xavier1\python-3.13.0-amd64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Xavier1\is-K1FQL.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe TID: 8056	Thread sleep time: -10145709240540247s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe TID: 7836	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: build.exe, 0000000C.00000002.1844202208.000000001298D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware20,11696492231^
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: build.exe, 0000000C.00000002.1844202208.0000000012729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: build.exe, 0000000C.00000002.1852096121.000000001B6A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Queries volume information: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: build.exe PID: 7784, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 12.0.build.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1722289341.0000000000152000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 12.0.build.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1722289341.0000000000152000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 12.0.build.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: build.exe, 0000000C.00000002.1819024150.000000000262D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: build.exe, 0000000C.00000002.1819024150.000000000262D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectronCash
Source: build.exe, 0000000C.00000002.1819024150.000000000262D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: com.liberty.jaxx
Source: build.exe, 0000000C.00000002.1819024150.000000000262D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: build.exe, 0000000C.00000002.1819024150.000000000262D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: build.exe, 0000000C.00000000.1722289341.0000000000152000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Xavier1\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior

Source: Yara match	File source: 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1819024150.000000000262D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 7784, type: MEMORYSTR

Remote Access Functionality

Yara detected Meduza Stealer

Source: Yara match

File source: Process Memory Space: build.exe PID: 7784, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 12.0.build.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1722289341.0000000000152000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 12.0.build.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.1722289341.0000000000152000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 12.0.build.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 Windows Service	1 Windows Service	1 Masquerading	1 OS Credential Dumping	421 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	2 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	113 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KBvv1g0Ihn.exe	24%	ReversingLabs	ByteCode-MSIL.Trojan.Mamut

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Programs\Xavier1\build.exe (copy)	66%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp	66%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
C:\Users\user\AppData\Local\Programs\Xavier1\is-K1FQL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\Xavier1\python-3.13.0-amd64.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VNJ7M.tmp\_isetup\_setup64.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://www.gapotchenko.com/eazfuscator.net	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.gapotchenko.com/eazfuscator.net	is-NH14E.tmp.5.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	KBvv1g0Ihn.exe	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	is-NH14E.tmp.5.dr	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://appsyndication.org/2006/appsynapplicationc:	is-K1FQL.tmp.5.dr	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.remobjects.com/ps	KBvv1g0Ihn.exe, 00000000.00000003.1268008460.000000007FAAB000.00000004.00001000.00020000.00000000.sdmp, KBvv1g0Ihn.exe, 00000000.00000003.1266707119.0000000003120000.00000004.00001000.00020000.00000000.sdmp, KBvv1g0Ihn.tmp, 00000005.00000000.1269529793.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, KBvv1g0Ihn.tmp.0.dr, is-3HDQ6.tmp.5.dr	false		high
https://www.innosetup.com/	KBvv1g0Ihn.exe, 00000000.00000003.1268008460.000000007FAAB000.00000004.00001000.00020000.00000000.sdmp, KBvv1g0Ihn.exe, 00000000.00000003.1266707119.0000000003120000.00000004.00001000.00020000.00000000.sdmp, KBvv1g0Ihn.tmp, 00000005.00000000.1269529793.00000000008E1000.00000020.00000001.01000000.00000005.sdmp, KBvv1g0Ihn.tmp.0.dr, is-3HDQ6.tmp.5.dr	false		high
https://discord.com/api/v9/users/	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/example/Field1Response	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	build.exe, 0000000C.00000002.1819024150.000000000262D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/sc	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.w3.oh	build.exe, 0000000C.00000002.1819024150.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	is-NH14E.tmp.5.dr	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/example/Field1	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/example/Field2	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/example/Field3	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	is-NH14E.tmp.5.dr	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/06/addressingex	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.w3.o	build.exe, 0000000C.00000002.1819024150.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/example/Field3Response	build.exe, 0000000C.00000002.1819024150.0000000002B3D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	is-NH14E.tmp.5.dr	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	build.exe, 0000000C.00000002.1819024150.0000000002581000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	build.exe, 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	build.exe, 0000000C.00000002.1844202208.00000000129B5000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000C.00000002.1844202208.00000000125BF000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
4.251.123.83	unknown	United States		3356	LEVEL3US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554439
Start date and time:	2024-11-12 14:55:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KBvv1g0Ihn.exe renamed because original name is a hash value
Original Sample Name:	88304d367179a59758a8f4517f37cb7f03f4ec447658ab93f0d1fbe59268a904.exe
Detection:	MAL
Classification:	mal80.troj.spyw.evad.winEXE@5/13@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: KBvv1g0Ihn.exe

Simulations

Behavior and APIs

Time	Type	Description
10:42:57	API Interceptor	17x Sleep call for process: build.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
4.251.123.83	jyRdJ06Naz.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	rePERU8VUs.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	VJoillkb6X.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	9LrEuTWP8s.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	HAeAec7no3.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	EUFOvMxM2H.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	i4w1K6ft2F.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	xMYbN0Yd2a.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	FaZM14kDMN.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	j7movK82QT.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEVEL3US	jyRdJ06Naz.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	rePERU8VUs.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	VJoillkb6X.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	9LrEuTWP8s.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	HAeAec7no3.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	EUFOvMxM2H.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	i4w1K6ft2F.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	xMYbN0Yd2a.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	FaZM14kDMN.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83
	j7movK82QT.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	4.251.123.83

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp	jyRdJ06Naz.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse
C:\Users\user\AppData\Local\Programs\Xavier1\build.exe (copy)	jyRdJ06Naz.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Programs\Xavier1\build.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2611
Entropy (8bit):	5.363358188931451
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkafHKWA1eXrHKlT48BHK7HKmTHlHNW:iq+wmj0qCYqGSI6oPtzHeqKkGqhA7qZR
MD5:	CEA017D10C4D437981D19F21660A47FA
SHA1:	61AAFCECB5325DE172857CEF7C7E1F230F73AFFD
SHA-256:	60B099420455DECD1878FE84F217CFE478BA0BA5E6E574077150D08355A1DD96
SHA-512:	413384BF9D2EDC9BC2DF6D5175D09A33B91CCF9C53FE3CB21892CB57AF4FD8A9BE0608E9BCA57AF4A7F2709A4C110148719DA3210460DF433CFD77FA753B9CF8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Programs\Xavier1\Eazfuscator.NET 2024.2 Setup.msi (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Eazfuscator.NET, Author: Gapotchenko, Keywords: Installer, Comments: This installer database contains the logic and data required to install Eazfuscator.NET version 2024.2.614.14499., Template: Intel;1033, Revision Number: {5F546163-2F0B-4AB1-81C9-D20301E91375}, Create Time/Date: Sat Oct 19 06:12:08 2024, Last Saved Time/Date: Sat Oct 19 06:12:08 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
Category:	dropped
Size (bytes):	14606336
Entropy (8bit):	7.9729393420951045
Encrypted:	false
SSDEEP:	196608:z6p31U5I46utACLL3YpKWtSfFGXFsNX8KNEfosyruy+DZXmHok0pj3XDCn4Kt:2pFUG4XL32B/i82b5rnWZX8e1+n4
MD5:	5568EB1E06836D4127992517811F57E4
SHA1:	7A7E2735A66767D8B9C81870ADED998E971B762D
SHA-256:	AB63A259AC8218EB5E1E2CC3A4605F6F79E292239CE0C004DCFFBC807D0ED84A
SHA-512:	93A21BD55D7B9677AB190402C42EC3FE053D602A2736309BA3F02483E8C1EB2B100F719699FA93BBE53E3E1A2C6C1A002DE6AF5F662C9853A3AC0465518B114D
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Xavier1\build.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	346112
Entropy (8bit):	6.572244662396641
Encrypted:	false
SSDEEP:	6144:2DKXJVqDD/qxgATuaBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4Qx:2DgYDzqxdXBNt1BrivR0V4TBjgYxs1wQ
MD5:	C9B68B9567CC9067794E32999C02BFA7
SHA1:	D999F0701086E1ECC87380CF002F37F985C6DE4C
SHA-256:	8DBCECF4F09CDB10EF4F2AC2AC3F66A28D148A63A381877F413CD5F5B39DB4E0
SHA-512:	9E24E7FAB933FBD5AD500B0759582D3417CCD571C248010BE486C53574F21E38A5D10DD2B14128CC4D4B4D922DC25806A14D46793B9E2FFE951B8C797F458C6A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Joe Sandbox View:	Filename: jyRdJ06Naz.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............F..............@..B........................H........K........../.......)............................................(O...(......{......{.....~....(....~....(.....(......}......}.....0..<........u......,0(.....{.....{....o....,.(.....{.....{....o....+... ..L0(.....{....o....X )UU.Z(.....{....o....X..0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....(......{......{.....~....(....~....(.....(......}......}....*...0..<...

C:\Users\user\AppData\Local\Programs\Xavier1\is-3HDQ6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3330109
Entropy (8bit):	6.54667575887517
Encrypted:	false
SSDEEP:	49152:UdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQW3334h:2JYVM+LtVt3P/KuG2ONG9iqLRQW333e
MD5:	5FE23499576D601D7CDFA3B85A62574E
SHA1:	9223AF2055D3B63DB5E44E67AE9E6833FCE2EDC8
SHA-256:	4DB60792BCAC80105833D395B198F712DC9A0C9A2155688C366F86C6F310F8A8
SHA-512:	9BB85B74B05AC292A8E27044A8954254A68D5D2A984FC633DBF092F706B3173C001DF69B12245620A556A25E19624D66B0B72487A4BE046C27F60C1984ED7887
Malicious:	true
Reputation:	low
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.8.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...8....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	346112
Entropy (8bit):	6.572244662396641
Encrypted:	false
SSDEEP:	6144:2DKXJVqDD/qxgATuaBNt1BrivR0V4TBjgYxs1wl206gBawFV2ceSb0BQ/GfM/4Qx:2DgYDzqxdXBNt1BrivR0V4TBjgYxs1wQ
MD5:	C9B68B9567CC9067794E32999C02BFA7
SHA1:	D999F0701086E1ECC87380CF002F37F985C6DE4C
SHA-256:	8DBCECF4F09CDB10EF4F2AC2AC3F66A28D148A63A381877F413CD5F5B39DB4E0
SHA-512:	9E24E7FAB933FBD5AD500B0759582D3417CCD571C248010BE486C53574F21E38A5D10DD2B14128CC4D4B4D922DC25806A14D46793B9E2FFE951B8C797F458C6A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Joe Sandbox View:	Filename: jyRdJ06Naz.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............F..............@..B........................H........K........../.......)............................................(O...(......{......{.....~....(....~....(.....(......}......}.....0..<........u......,0(.....{.....{....o....,.(.....{.....{....o....+... ..L0(.....{....o....X )UU.Z(.....{....o....X..0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....(......{......{.....~....(....~....(.....(......}......}....*...0..<...

C:\Users\user\AppData\Local\Programs\Xavier1\is-K1FQL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28160096
Entropy (8bit):	7.997949543387279
Encrypted:	true
SSDEEP:	393216:NQs3AMrF2S7Pr96of7sv2iZpAs2vEqhlKBe//u4fW9Xj9uXU//EAa6L4pGROW:NQs31rFn7Pr4Y4vbpCye//zf0TAEVJGq
MD5:	F5E5D48BA86586D4BEF67BCB3790D339
SHA1:	118838D3BC5D1A13CE71D8D83DE52427B1562124
SHA-256:	78156AD0CF0EC4123BFB5333B40F078596EBF15F2D062A10144863680AFBDEFC
SHA-512:	FFAEF212D55E3BDD87E79CBFACEBC0612FFC1C8C4B495585392746202DCE6332383199F0206113EE95EBB4A76D718D0700E1AED9AD518D43B7569A44F0A39427
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.s...s...s.......s......$s.......s.......s.......s.......s.......s.......s...s...r.......s....Q..s...s9..s.......s..Rich.s..........................PE..L....RKa..........................................@......................................@.................................<............e..........P..../...P...=...{..T....................{.......z..@............................................text.............................. ..`.rdata..t...........................@..@.data...............................@....wixburn8...........................@..@.rsrc....e.......f..................@..@.reloc...=...P...>..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Xavier1\is-NH14E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Eazfuscator.NET, Author: Gapotchenko, Keywords: Installer, Comments: This installer database contains the logic and data required to install Eazfuscator.NET version 2024.2.614.14499., Template: Intel;1033, Revision Number: {5F546163-2F0B-4AB1-81C9-D20301E91375}, Create Time/Date: Sat Oct 19 06:12:08 2024, Last Saved Time/Date: Sat Oct 19 06:12:08 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
Category:	dropped
Size (bytes):	14606336
Entropy (8bit):	7.9729393420951045
Encrypted:	false
SSDEEP:	196608:z6p31U5I46utACLL3YpKWtSfFGXFsNX8KNEfosyruy+DZXmHok0pj3XDCn4Kt:2pFUG4XL32B/i82b5rnWZX8e1+n4
MD5:	5568EB1E06836D4127992517811F57E4
SHA1:	7A7E2735A66767D8B9C81870ADED998E971B762D
SHA-256:	AB63A259AC8218EB5E1E2CC3A4605F6F79E292239CE0C004DCFFBC807D0ED84A
SHA-512:	93A21BD55D7B9677AB190402C42EC3FE053D602A2736309BA3F02483E8C1EB2B100F719699FA93BBE53E3E1A2C6C1A002DE6AF5F662C9853A3AC0465518B114D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Xavier1\python-3.13.0-amd64.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28160096
Entropy (8bit):	7.997949543387279
Encrypted:	true
SSDEEP:	393216:NQs3AMrF2S7Pr96of7sv2iZpAs2vEqhlKBe//u4fW9Xj9uXU//EAa6L4pGROW:NQs31rFn7Pr4Y4vbpCye//zf0TAEVJGq
MD5:	F5E5D48BA86586D4BEF67BCB3790D339
SHA1:	118838D3BC5D1A13CE71D8D83DE52427B1562124
SHA-256:	78156AD0CF0EC4123BFB5333B40F078596EBF15F2D062A10144863680AFBDEFC
SHA-512:	FFAEF212D55E3BDD87E79CBFACEBC0612FFC1C8C4B495585392746202DCE6332383199F0206113EE95EBB4A76D718D0700E1AED9AD518D43B7569A44F0A39427
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.s...s...s.......s......$s.......s.......s.......s.......s.......s.......s...s...r.......s....Q..s...s9..s.......s..Rich.s..........................PE..L....RKa..........................................@......................................@.................................<............e..........P..../...P...=...{..T....................{.......z..@............................................text.............................. ..`.rdata..t...........................@..@.data...............................@....wixburn8...........................@..@.rsrc....e.......f..................@..@.reloc...=...P...>..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Programs\Xavier1\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
File Type:	InnoSetup Log Xavier1 {E7AB5A61-4710-401C-A801-32A06671F356}, version 0x418, 2450 bytes, 878411\37\user, C:\Users\user\AppData\Local\Programs\
Category:	modified
Size (bytes):	2450
Entropy (8bit):	3.4820436111378066
Encrypted:	false
SSDEEP:	48:CfFjcGrcGMlCy1ScG3cGXvcG3xcGUlCyalCyr6gxvBExw8xeUhd:UjdClC0StFjSlCFlC26gDEC8Hhd
MD5:	949444277CB23E3E9EA0A4742066FE65
SHA1:	2841E157C6830307A1E85399FDA1FB349B60A5B1
SHA-256:	905B48FE92949DD8617ED220E81F5D8B092B7D1C4D3A07EAABB5DA8B970DABF5
SHA-512:	8355899CF5C1305CFD22107C4D638F7D9F24CD4D5639418256B2B98DF6293044A40E3125DD24D6E64DA73B9CEC69F82BE9AAA70C426F255054585482B5004533
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................{E7AB5A61-4710-401C-A801-32A06671F356}..........................................................................................Xavier1.....................................................................................................................................%...............................................................................................................f8.X....9....p.................8.7.8.4.1.1......f.r.o.n.t.d.e.s.k......C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.X.a.v.i.e.r.1................8.+.... .....J..................C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.X.a.v.i.e.r.1..\...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.(.D.e.f.a.u.l.t.)......(.D.e.f.a.u.l.t.)......e.n.g.l.i.s.h.............................h..

C:\Users\user\AppData\Local\Programs\Xavier1\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3330109
Entropy (8bit):	6.54667575887517
Encrypted:	false
SSDEEP:	49152:UdJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQW3334h:2JYVM+LtVt3P/KuG2ONG9iqLRQW333e
MD5:	5FE23499576D601D7CDFA3B85A62574E
SHA1:	9223AF2055D3B63DB5E44E67AE9E6833FCE2EDC8
SHA-256:	4DB60792BCAC80105833D395B198F712DC9A0C9A2155688C366F86C6F310F8A8
SHA-512:	9BB85B74B05AC292A8E27044A8954254A68D5D2A984FC633DBF092F706B3173C001DF69B12245620A556A25E19624D66B0B72487A4BE046C27F60C1984ED7887
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.8.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...8....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

Download File

Process:	C:\Users\user\Desktop\KBvv1g0Ihn.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3305984
Entropy (8bit):	6.559917359469489
Encrypted:	false
SSDEEP:	49152:8dJYVM+9JtzZWnoS2VC23aun8+f5KuG2OY9IG9ivyv2cLx1RQW3334D:eJYVM+LtVt3P/KuG2ONG9iqLRQW333y
MD5:	96E71B42AF1B612788D51E0486213741
SHA1:	9EC888C1E3A9C790DD1CFF026DBBE73FB8B9076D
SHA-256:	7D392871DBEC09A22F43637316EC3500019AED24E4659A83FF2B034204193C58
SHA-512:	F080539E5B70F63BDE7A51BC21529EA315F4F82899508E0DCF48F1779DFA5B2A8C3098C705293D5C3A253E9FA8F9778AB8B40DB19A3651EA582ACA2013D0C21B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................@3...........@......@...................P,.n.....,.j:...P0.8.....................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc...8....P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-VNJ7M.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Xavier1.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Nov 12 14:42:35 2024, mtime=Tue Nov 12 14:42:35 2024, atime=Sun Nov 10 00:40:14 2024, length=346112, window=hide
Category:	dropped
Size (bytes):	1256
Entropy (8bit):	4.933988632292829
Encrypted:	false
SSDEEP:	24:8mQbtt62KddRO0540qpAxQGX+cG2VhiJWJUwqygm:8motA2KddROqLxQGX+cGcUJWJmyg
MD5:	1A4D0A352465F7BCD50D2C062107771E
SHA1:	5C1523F669F3A66C107518A4FD33621AC6B37CEF
SHA-256:	508C552B86D8E128AAD06FA6E7DA8ED836CF8D1EE6FE9791AF1B6352F16E910A
SHA-512:	74EE0993F8F9E3C47EC77D3CF27173DF98C014EB46646C33BBB4BB3A6463D27A7061D873FDFF57312A8AEF8D551E6B716702B0A2E401ECF542D73E0F6A061D66
Malicious:	false
Preview:	L..................F.... ...Xk.~.5....~.5.....\|.3...H........................:..DG..Yr?.D..U..k0.&...&......Qg._..../...5.......5......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=lYS}..........................3N.A.p.p.D.a.t.a...B.P.1.....lY.o..Local.<......EW.=lYS}.............................L.o.c.a.l.....Z.1.....lY.o..Programs..B......lY.olY.o.............................P.r.o.g.r.a.m.s.....V.1.....lYV}..Xavier1.@......lYR}lYV}.....&........................X.a.v.i.e.r.1.....\.2..H..jY.. .build.exe.D......lYR}lYR}...._(........................b.u.i.l.d...e.x.e.......j...............-.......i............).e.....C:\Users\user\AppData\Local\Programs\Xavier1\build.exe../.....\.....\.....\.....\.....\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.X.a.v.i.e.r.1.\.b.u.i.l.d...e.x.e.1.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.r.o.g.r.a.m.s.\.X.a.v.i.e.r.1.........\|....I.J.H..K..:...`.......X.......878411...........hT..CrF.f4... ..../Tc

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997761346566559
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	KBvv1g0Ihn.exe
File size:	42'744'244 bytes
MD5:	49a5ac0f7efb1a9d8435d4f92b07dd45
SHA1:	3481320c4a63359ba1eb56a54aa991fc38dc9cdc
SHA256:	88304d367179a59758a8f4517f37cb7f03f4ec447658ab93f0d1fbe59268a904
SHA512:	b1fe75fc9449d27d115c6d4baacde0bb4d785f9ee6f1ed75813e64e3d19cfadd7478be4a0700cab1d390ad1b37134a5cf0280c6710cb4ae398bc0a630fa74f16
SSDEEP:	786432:9JzRWKppL5cbvZ1uIZVOLrnby1NMyU7h8dsev/Nk4hP6Zra9nKctwJAFs8dN:zfbFo1uE8nEwWsMP6ZGhhtBF/dN
TLSH:	4D973313A6CBE52DD45D1F7F05B3A255A4F7A660B122AE2686E888FCCE170001E3F757
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0f5565f0c87131b3

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007F70ECB54B35h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007F70ECBE64BBh
call 00007F70ECBE600Eh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F70ECBE0CE8h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007F70ECB4EBE3h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007F70ECBE2013h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F70ECBE6543h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F70ECBED22Ah
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007F70ECBE2908h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x9a9c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x9a9c	0x9c00	9564150610ddab48bb3821ffd4a1bade	False	0.1650390625	data	2.820952488424412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb438	0x6548	Device independent bitmap graphic, 148 x 296 x 8, image size 21904, 256 important colors	English	United States	0.08284480098734959
RT_STRING	0xd1980	0x3f8	data			0.3198818897637795
RT_STRING	0xd1d78	0x2dc	data			0.36475409836065575
RT_STRING	0xd2054	0x430	data			0.40578358208955223
RT_STRING	0xd2484	0x44c	data			0.38636363636363635
RT_STRING	0xd28d0	0x2d4	data			0.39226519337016574
RT_STRING	0xd2ba4	0xb8	data			0.6467391304347826
RT_STRING	0xd2c5c	0x9c	data			0.6410256410256411
RT_STRING	0xd2cf8	0x374	data			0.4230769230769231
RT_STRING	0xd306c	0x398	data			0.3358695652173913
RT_STRING	0xd3404	0x368	data			0.3795871559633027
RT_STRING	0xd376c	0x2a4	data			0.4275147928994083
RT_RCDATA	0xd3a10	0x10	data			1.5
RT_RCDATA	0xd3a20	0x310	data			0.6173469387755102
RT_RCDATA	0xd3d30	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xd3d5c	0x14	data	English	United States	1.25
RT_VERSION	0xd3d70	0x584	data	English	United States	0.25920679886685555
RT_MANIFEST	0xd42f4	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T14:56:32.469551+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.7	49730	TCP
2024-11-12T14:57:04.503004+0100	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	1	192.168.2.7	49895	4.251.123.83	6677	TCP
2024-11-12T14:57:05.019107+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	4.251.123.83	6677	192.168.2.7	49895	TCP
2024-11-12T14:57:11.560317+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.7	49919	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 14:57:03.646385908 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:03.651294947 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:03.652362108 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:03.654841900 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:03.659646988 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:04.482511044 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:04.503004074 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:04.507848978 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:04.742265940 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:04.778176069 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:04.783324957 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.018654108 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.018682003 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.018687963 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.018718958 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.018727064 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.018739939 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.018759966 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:05.018819094 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:05.019107103 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.019114971 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.019134998 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.019141912 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.019177914 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:05.019177914 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:05.019534111 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.019555092 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.019624949 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:05.022030115 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:05.023575068 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.023585081 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.023677111 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:05.137165070 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.137188911 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.137201071 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.137284994 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:05.137317896 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.137373924 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.137378931 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.137397051 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:05.137473106 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:05.137710094 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:05.183052063 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.464380026 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.469463110 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.469485998 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.469516993 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.469533920 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.469537973 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.469558954 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.469594955 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.469791889 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.469826937 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.469866037 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.469898939 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.469908953 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.469918966 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.469949007 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.470582008 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.470645905 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.474492073 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.474504948 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.474517107 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.474524975 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.474543095 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.474544048 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.474555016 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.474594116 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.474611998 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.474735975 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.474818945 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.475774050 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.475855112 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.480829954 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.480861902 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.480885983 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.480895042 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.480946064 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.480969906 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.481012106 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.481023073 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.481030941 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.481060982 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.481108904 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.481118917 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.481126070 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.481168032 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.481209040 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.481251955 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.481268883 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.481323957 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.486012936 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486068964 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.486089945 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486121893 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486154079 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.486166954 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.486181021 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486217976 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486238003 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.486268044 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.486269951 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486309052 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.486310959 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486325026 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486355066 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.486380100 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.486416101 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486427069 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486439943 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486485958 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.486534119 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486543894 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486547947 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486552954 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486568928 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486577988 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486587048 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486596107 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.486613989 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486624002 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486654043 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486691952 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486730099 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486738920 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486768007 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486804962 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486814976 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486823082 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486851931 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486860991 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486901045 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486947060 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486955881 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486963987 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486983061 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.486993074 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487070084 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487096071 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487106085 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487114906 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487179995 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487190962 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487227917 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487251043 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487266064 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487276077 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487288952 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487299919 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487299919 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.487349033 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487374067 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.487394094 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487406015 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487420082 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487436056 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487446070 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487478018 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487540960 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487551928 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487560987 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487571955 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487580061 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487600088 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.487654924 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491030931 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491066933 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491075993 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491086960 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491149902 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491192102 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491195917 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491204023 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491214991 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491224051 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491277933 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491287947 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491302013 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491311073 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491337061 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491384983 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491394043 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491404057 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491414070 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491480112 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491496086 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491504908 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491522074 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491610050 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491620064 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491627932 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491708994 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491718054 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491769075 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.491981983 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.492048025 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.492201090 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.492213011 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.492405891 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.492410898 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.492516994 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.492527962 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.492577076 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.492611885 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.492789030 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.492851973 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.492908955 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.492990971 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493000984 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493009090 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493033886 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493045092 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493146896 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493191957 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493201971 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493210077 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493231058 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493241072 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493303061 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493355989 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493367910 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493383884 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493398905 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493410110 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493446112 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493503094 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493511915 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493524075 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493627071 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493637085 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493732929 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493869066 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493880987 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493890047 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493926048 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493937016 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.493968964 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494004965 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494015932 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494030952 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494050026 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494060040 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494118929 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494262934 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494292974 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494302988 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494313955 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494358063 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.494368076 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.496961117 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497008085 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497019053 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497026920 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497031927 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497040987 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497056007 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497066021 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497101068 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497111082 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497149944 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497159958 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497234106 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497243881 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497252941 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497262001 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497272968 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497277021 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497292995 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497303009 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497313023 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497380972 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497390032 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497397900 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497428894 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497437000 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497459888 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497479916 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497522116 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497570038 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.497576952 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497586966 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497594118 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497638941 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.497659922 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497670889 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497679949 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497698069 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497704983 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497744083 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497754097 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497771025 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497807980 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497817039 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497821093 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497834921 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497844934 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497859955 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497916937 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497925997 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497935057 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497951984 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497961998 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497977018 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.497984886 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502669096 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502720118 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502729893 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502734900 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502749920 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502823114 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502831936 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502840996 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502852917 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502868891 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502881050 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.502896070 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502906084 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.502944946 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.503014088 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503024101 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503027916 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503031015 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503042936 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503081083 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503168106 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503185034 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503194094 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503201962 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503212929 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503251076 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503261089 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503268957 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503321886 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503331900 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503356934 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503453016 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503463984 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503478050 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503489971 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503496885 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503535032 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503623009 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503633022 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503640890 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503659010 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503669024 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503676891 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503694057 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503703117 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503711939 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503724098 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503732920 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503748894 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503758907 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503776073 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503813982 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503822088 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503830910 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.503894091 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.507937908 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.507983923 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508069992 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508109093 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508169889 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.508198023 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508210897 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508238077 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.508310080 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508318901 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508383989 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508393049 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508403063 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508411884 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508452892 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508511066 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508547068 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508595943 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508605003 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508611917 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508645058 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508655071 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508724928 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508754969 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508790970 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508801937 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508846998 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508903027 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508913040 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.508928061 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509012938 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509025097 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509068966 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509113073 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509123087 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509196043 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509322882 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509332895 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509418011 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509591103 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509599924 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509608030 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509639025 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509649038 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509691000 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509757996 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509768009 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509776115 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509808064 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509818077 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509860039 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509898901 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509913921 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.509958982 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.510068893 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513135910 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513191938 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513200998 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513205051 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513271093 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513279915 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513334990 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.513353109 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513370037 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513398886 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.513448000 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513453007 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513479948 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513550997 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513562918 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513600111 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513622046 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513650894 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513660908 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513674021 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513730049 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.513737917 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514198065 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514206886 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514249086 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514265060 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514307976 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514318943 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514358044 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514367104 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514400005 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514456034 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514482975 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514486074 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514497042 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514506102 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514533043 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514602900 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514621019 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514662981 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514672041 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514688015 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514759064 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514767885 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514815092 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514842033 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514851093 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514903069 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514914036 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514923096 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.514995098 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.515047073 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.515055895 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.515065908 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.515085936 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518225908 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518237114 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518310070 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518318892 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518330097 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518340111 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518394947 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518404007 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518435001 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518445015 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518466949 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518476009 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518486023 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518495083 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518657923 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518685102 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518728971 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.518731117 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518742085 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518752098 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518786907 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.518798113 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518820047 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518887997 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518897057 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518944025 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518953085 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.518973112 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519016981 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519026041 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519084930 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519089937 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519145012 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519197941 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519207954 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519229889 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519238949 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519247055 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519330025 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519340038 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519351006 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519401073 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519408941 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519418001 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519495010 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519507885 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519546986 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519598007 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.519607067 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.566219091 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:09.566481113 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.566571951 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.566571951 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.566596031 CET	49895	6677	192.168.2.7	4.251.123.83
Nov 12, 2024 14:57:09.598442078 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:10.392611027 CET	6677	49895	4.251.123.83	192.168.2.7
Nov 12, 2024 14:57:10.439817905 CET	49895	6677	192.168.2.7	4.251.123.83

Target ID:	0
Start time:	08:56:14
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\KBvv1g0Ihn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KBvv1g0Ihn.exe"
Imagebase:	0x60000
File size:	42'744'244 bytes
MD5 hash:	49A5AC0F7EFB1A9D8435D4F92B07DD45
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:56:14
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp" /SL5="$10432,41796246,816128,C:\Users\user\Desktop\KBvv1g0Ihn.exe"
Imagebase:	0x8e0000
File size:	3'305'984 bytes
MD5 hash:	96E71B42AF1B612788D51E0486213741
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:42:50
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\Programs\Xavier1\build.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Programs\Xavier1\build.exe"
Imagebase:	0x150000
File size:	346'112 bytes
MD5 hash:	C9B68B9567CC9067794E32999C02BFA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000000.1722289341.0000000000152000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000000.1722289341.0000000000152000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.1819024150.0000000002614000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1819024150.000000000262D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	43
Total number of Limit Nodes:	8

Executed Functions

Function 00007FFAAC539BA1 Relevance: 13.2, Strings: 8, Instructions: 3160COMMON

Download Yara Rule

Strings

X5, xrefs: 00007FFAAC53A5D3
(Q3, xrefs: 00007FFAAC53B636
X5, xrefs: 00007FFAAC53B5C2
X5, xrefs: 00007FFAAC53A57C
X, xrefs: 00007FFAAC53A4DC
<, xrefs: 00007FFAAC53AD2C
(Q3, xrefs: 00007FFAAC53B66B
<, xrefs: 00007FFAAC53AD78

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID: (Q3$(Q3$X$X5$X5$X5$<$<
API String ID: 0-2305399246
Opcode ID: 5443ba9d793a4d0a33bf57889620d18d32bd63b9143ee62bc34c7daec884c5c5
Instruction ID: 466e1dee0bfc34412e2565ad04d7e7deebcb8d64d55138e745f22c4e6695a277
Opcode Fuzzy Hash: 5443ba9d793a4d0a33bf57889620d18d32bd63b9143ee62bc34c7daec884c5c5
Instruction Fuzzy Hash: 9B23F671A1DB8A8FE799DB2C84656397BD1FF56300B0445BEE04EC7293DE28EC458781

Function 00007FFAAC68269B Relevance: 5.8, Strings: 4, Instructions: 782
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@B/, xrefs: 00007FFAAC681E41
/2, xrefs: 00007FFAAC681D87
/2, xrefs: 00007FFAAC6825DA
/2, xrefs: 00007FFAAC681C15

Memory Dump Source

Source File: 0000000C.00000002.1860900208.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac680000_build.jbxd

Similarity

API ID:
String ID: @B/$/2$/2$/2
API String ID: 0-3224028736
Opcode ID: 41ab2405940477edd9686ce3a3e4c7bf1ee7eac64f2e11aeaec611eae3622630
Instruction ID: 8ac541d580a99a1b366f8a1831b323241c98a929b10637a694fa0ba8ba6dd772
Opcode Fuzzy Hash: 41ab2405940477edd9686ce3a3e4c7bf1ee7eac64f2e11aeaec611eae3622630
Instruction Fuzzy Hash: 9362DC70D19A198FEBA9DB18C899BA8B7B1FF59300F5051E9D00DE3291CF34AA85CF41

Function 00007FFAAC53A450 Relevance: 3.9, Strings: 2, Instructions: 1353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X5, xrefs: 00007FFAAC53A57C
<, xrefs: 00007FFAAC53AD2C

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID: X5$<
API String ID: 0-3372022791
Opcode ID: 00b0edc77e68fcaaf250a8b7d72bd98f14ca980581a0a2d9338754a9fcf7cd5d
Instruction ID: 85a05ce2159e6d6caeb6f34b87adb44d7d80154563a4da18942e14bf0f9cdff8
Opcode Fuzzy Hash: 00b0edc77e68fcaaf250a8b7d72bd98f14ca980581a0a2d9338754a9fcf7cd5d
Instruction Fuzzy Hash: FD92A531A1DA4A8FEBA8EB2CD465A35B7E1FF55300B0544B9F04EC72A7DD28EC458781

Function 00007FFAAC690B26 Relevance: 2.3, Strings: 1, Instructions: 1043
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+)_H, xrefs: 00007FFAAC69113F

Memory Dump Source

Source File: 0000000C.00000002.1860900208.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac680000_build.jbxd

Similarity

API ID:
String ID: +)_H
API String ID: 0-617546357
Opcode ID: 1cb3cba8ba78616a29dccbc1f4c1c094aa6cce9476ad8e24df56f0751d264202
Instruction ID: 04e12070c940465b8abd190b9a23affd71e85c94b80d7e19cc8fa430b71880ba
Opcode Fuzzy Hash: 1cb3cba8ba78616a29dccbc1f4c1c094aa6cce9476ad8e24df56f0751d264202
Instruction Fuzzy Hash: B672B770A19A49CFEB99DB68C454BA877E1FF59304F1491B9D00EC7292CE3DE885CB81

Function 00007FFAAC5316B3 Relevance: 2.3, Strings: 1, Instructions: 1007
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X5, xrefs: 00007FFAAC53174D

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID: X5
API String ID: 0-1707163818
Opcode ID: 531520b55cd59e28a6199d938253f156676eae9c097b86e05ebf3f00db329c02
Instruction ID: d3f285c86d3ff80d257d8465470a9d699051323ed8b4123a517fe4b359efb5b4
Opcode Fuzzy Hash: 531520b55cd59e28a6199d938253f156676eae9c097b86e05ebf3f00db329c02
Instruction Fuzzy Hash: 8B52D330A0DA4A8FE799D73C9869A757BD5EF96310B0442BAE04EC72E3DD14EC4687C1

Function 00007FFAAC6921DB Relevance: 2.0, Strings: 1, Instructions: 733
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

', xrefs: 00007FFAAC69220C

Memory Dump Source

Source File: 0000000C.00000002.1860900208.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac680000_build.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 11241443c0683702cc0e2c11b1e2a8f26d3f580aaa4a1bce6d058999af7acaa4
Instruction ID: afb87a221bb69a95a933e9f5870324437b2c7cf77d473ab41dd0646dc5852a5d
Opcode Fuzzy Hash: 11241443c0683702cc0e2c11b1e2a8f26d3f580aaa4a1bce6d058999af7acaa4
Instruction Fuzzy Hash: 14522C70D19A198FEB99EB18C895BA9B7F1FB59301F1051F9D00DE3291CE39AD858F80

Function 00007FFAAC68F4CD Relevance: 1.1, Instructions: 1102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1860900208.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac680000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9686002f2215c7b1852c216b2b60b9d3495e17de270eef0aef4dd6d38b53673
Instruction ID: 97b471c34c09f3abac9d2b9ec417db67f47862a32eaf0ec23c15a785c6351b8d
Opcode Fuzzy Hash: b9686002f2215c7b1852c216b2b60b9d3495e17de270eef0aef4dd6d38b53673
Instruction Fuzzy Hash: AE62C030B1DA098FEB59EB2CD455A7973D2FF59300B1451B9E44EC32A2DE28EC4687C6

Function 00007FFAAC53C50A Relevance: .8, Instructions: 767COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ebd3bc574c2c825a918ce5b7e64cea588bd5e0cc85dc6743ecc9b83ea22a159
Instruction ID: c651a12cf1db1534389cb6dd0d51048e94cab6e8b95e4a35a9096065fd7fee0a
Opcode Fuzzy Hash: 0ebd3bc574c2c825a918ce5b7e64cea588bd5e0cc85dc6743ecc9b83ea22a159
Instruction Fuzzy Hash: 2122B271B1DA4A8FE798DB2C9465638BBD1FF56710B0442BAE04EC72A3DE24EC458781

Function 00007FFAAC462FF0 Relevance: 4.0, Strings: 3, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r62, xrefs: 00007FFAAC46C5D8
r62, xrefs: 00007FFAAC46C664
r62, xrefs: 00007FFAAC46C694

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: r62$r62$r62
API String ID: 0-4203318338
Opcode ID: 2bcc28046ae306f0ccfb954a6dcadf1414ac7e8a6cf153e1f7dca808cea03f48
Instruction ID: 106407c7d7b2ad19cd883a119f1ec25d2634bb32b57b7bd47c86a5d1f0294fc8
Opcode Fuzzy Hash: 2bcc28046ae306f0ccfb954a6dcadf1414ac7e8a6cf153e1f7dca808cea03f48
Instruction Fuzzy Hash: EF912A71E0DA498FEB48CB5CC8596BDBBE1FF99314F04427AD04DE3296CF2498058799

Function 00007FFAAC463299 Relevance: 2.8, Strings: 2, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/2, xrefs: 00007FFAAC4633FA
p[4, xrefs: 00007FFAAC46362A

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: p[4$/2
API String ID: 0-2845250142
Opcode ID: 60f515cd9ad554a572da6816d768bd68636ba1c5448db8c8cf0dabce575bb4c4
Instruction ID: 06b9abb749a666198d0169a0b1a9127d9f210973321c0f1b54ab4f841a167acc
Opcode Fuzzy Hash: 60f515cd9ad554a572da6816d768bd68636ba1c5448db8c8cf0dabce575bb4c4
Instruction Fuzzy Hash: 58C14D70D09699CFEB98DB58C8597B8B7B1FF55314F4081B9D00DD3296CA38A985CF84

Function 00007FFAAC460F4F Relevance: 2.8, Strings: 2, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

r62, xrefs: 00007FFAAC4610A4
0#<, xrefs: 00007FFAAC461832

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: 0#<$r62
API String ID: 0-2846726167
Opcode ID: 8d9f0abe7445005a00cc5a8918a7ff7b04c4534f1a7bb47dcaccc5e21fd23d4c
Instruction ID: 6ffcefca22ecd405283dd80ff7019f1af629df19a1a4f531db52a92313409982
Opcode Fuzzy Hash: 8d9f0abe7445005a00cc5a8918a7ff7b04c4534f1a7bb47dcaccc5e21fd23d4c
Instruction Fuzzy Hash: DBD15274A09A1C8FDBA4EB18C898BA8B7F5FF59301F1441E9914DE7265CB70AE81CF44

Function 00007FFAAC5304FD Relevance: 2.6, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X5, xrefs: 00007FFAAC53054B
X5, xrefs: 00007FFAAC5304FE

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID: X5$X5
API String ID: 0-2676121072
Opcode ID: c7762801dbf693258de5f9223323d50c3a76d37b8e53ee429cd3d8076007b28d
Instruction ID: 1b797d9cfccddcb61e2f92689364d0113c41bc5f2fe801056775c1f9379127f3
Opcode Fuzzy Hash: c7762801dbf693258de5f9223323d50c3a76d37b8e53ee429cd3d8076007b28d
Instruction Fuzzy Hash: 8911E461A4EB868FE799D72C84A56353BC1EFDA710B1441BAE08DC73A3CE18DC458745

Function 00007FFAAC53D439 Relevance: 2.1, Strings: 1, Instructions: 876
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFAAC53DAE2

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0d1348270287a00568ade1a271ad6f36edf946f94622c5a8de3da380651b07bd
Instruction ID: 27a655ddeba77bf77a92856e6d373fcc36727ce8a64ac84203c24628cabe061f
Opcode Fuzzy Hash: 0d1348270287a00568ade1a271ad6f36edf946f94622c5a8de3da380651b07bd
Instruction Fuzzy Hash: 7D422871A1DB898FE795DB2C88659347BF1EF56310B0541FEE04ECB2A3D928EC498781

Function 00007FFAAC694BA8 Relevance: 1.9, APIs: 1, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1860900208.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac680000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfa3077ccf30148d1a17c158941a0cb49282e39257089ec467a1f798da470aa
Instruction ID: 2c6a39d3a6509a2b47785d305572ad3c71c3a6a23cb7afcfdc689cd8a8a14664
Opcode Fuzzy Hash: 5dfa3077ccf30148d1a17c158941a0cb49282e39257089ec467a1f798da470aa
Instruction Fuzzy Hash: ACD1C32194E7C68FE7179B7888655A07FF0EF57320B0951EBD089CB0E3D61DA84AC792

Function 00007FFAAC684485 Relevance: 1.8, APIs: 1, Instructions: 259fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FFAAC68464F

Memory Dump Source

Source File: 0000000C.00000002.1860900208.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac680000_build.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e341ed940aa893868555090011bae1a51cd194c5f0ac21697b5a4adc63328074
Instruction ID: a8fd87cf61558b2d50343c67aa9bedcb7b0cc63946588ac5c3276a479822e46f
Opcode Fuzzy Hash: e341ed940aa893868555090011bae1a51cd194c5f0ac21697b5a4adc63328074
Instruction Fuzzy Hash: 2F81C570918B8C8FEB69DF28C8567F97BE0FB59310F10416AE84DC7252DB74A9458BC2

Function 00007FFAAC698CB8 Relevance: 1.7, APIs: 1, Instructions: 205windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32 ref: 00007FFAAC698E3A

Memory Dump Source

Source File: 0000000C.00000002.1860900208.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac680000_build.jbxd

Similarity

API ID: BitmapCompatibleCreate
String ID:
API String ID: 1901715728-0
Opcode ID: 3e8c85ec5e0efe11fb38c1eae1856550f018374284a1071a6c2372a7b7fb5dac
Instruction ID: d8ec5335d8fb05b3ee0e77bed11b38f5857780f4da4c7ed4cada1665dc1646f0
Opcode Fuzzy Hash: 3e8c85ec5e0efe11fb38c1eae1856550f018374284a1071a6c2372a7b7fb5dac
Instruction Fuzzy Hash: D9616E7184E7C58FD7578B7448266E57FF0EF17220B0A45EBC089CB0A3E66D584AC7A2

Function 00007FFAAC684F91 Relevance: 1.7, APIs: 1, Instructions: 196fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FFAAC68509A

Memory Dump Source

Source File: 0000000C.00000002.1860900208.00007FFAAC680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac680000_build.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4a2f17725e96214336f0a1e8899531d3f2cee4221e8ef8262710e06b486bb7dc
Instruction ID: 6cdc03e64967160fff7190f2b42cd02b6979c501bb7f664aa944d4403df5651a
Opcode Fuzzy Hash: 4a2f17725e96214336f0a1e8899531d3f2cee4221e8ef8262710e06b486bb7dc
Instruction Fuzzy Hash: A6519E71908A1C8FDB58DF58D845AEDBBF1FB99310F04826AD00EE7256CA34A945CBC1

Function 00007FFAAC460DF5 Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

0#<, xrefs: 00007FFAAC461832

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: 0#<
API String ID: 0-2017611749
Opcode ID: bed1a4d5ee7df4a9186ac0a8555af4facb68d2630f05cf2dcb10269497d63467
Instruction ID: bd9e48c3c710e5d2d8cf502bd02e84a98056f5824bd480dca36ce4dae15a7a50
Opcode Fuzzy Hash: bed1a4d5ee7df4a9186ac0a8555af4facb68d2630f05cf2dcb10269497d63467
Instruction Fuzzy Hash: 4DC1A875909A1D8FDBA8DB18C898BA9B7F5FF59300F1041E9D00DE7265CA349E85CF44

Function 00007FFAAC461EDE Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

0#<, xrefs: 00007FFAAC461832

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: 0#<
API String ID: 0-2017611749
Opcode ID: cd7f7f1890e29c03ee866b3b078aad373e71f011aafac07fdca71fe8ff630151
Instruction ID: 3fdcc16f423df5b154cae4c26503ee39f57cad79850eeba66b521105c84fda02
Opcode Fuzzy Hash: cd7f7f1890e29c03ee866b3b078aad373e71f011aafac07fdca71fe8ff630151
Instruction Fuzzy Hash: B8B11B74909A19CFEBA9DB18C899BA8B7F1EF59304F1041E9D00DE7295CB34AE85CF44

Function 00007FFAAC53BDAC Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

~>_H, xrefs: 00007FFAAC53BE64

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID: ~>_H
API String ID: 0-3245688848
Opcode ID: b427ecf2f66614d13e948489a42160f8bb05bf86fc30a11aadc5d194d08d4468
Instruction ID: 09b19e64a7e790b6113a5078c94f95dbe6d0229be2ed9c1dc1e839f00f0fe5dc
Opcode Fuzzy Hash: b427ecf2f66614d13e948489a42160f8bb05bf86fc30a11aadc5d194d08d4468
Instruction Fuzzy Hash: 6771157171CB898FE798DB1C9865A757BE1EF9A710B0541AEF04EC72A3DD20DC068782

Function 00007FFAAC4615AE Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

0#<, xrefs: 00007FFAAC461832

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: 0#<
API String ID: 0-2017611749
Opcode ID: 7789577685d9096f559b466e9fbcf5caccfb19d84f6efb3523443fe264cc1935
Instruction ID: a07f9639a2a1b47fffcddf15187df379f7add7aa0ec6c40fc9d579c06c3fb000
Opcode Fuzzy Hash: 7789577685d9096f559b466e9fbcf5caccfb19d84f6efb3523443fe264cc1935
Instruction Fuzzy Hash: 35B19674A1961D8FDBA8DB58C898BA8B7B1FF59300F5041E9D00EE7265CB34AE81CF44

Function 00007FFAAC461F71 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

0#<, xrefs: 00007FFAAC461832

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: 0#<
API String ID: 0-2017611749
Opcode ID: c604f52181fb090833e6e8cd07fae96f70734989097eb81a2ba12b8700d6c80d
Instruction ID: 44c654b540e4812c5d9e84ca02ef7aec615f586ebc5d7a60449f9e55322ec46c
Opcode Fuzzy Hash: c604f52181fb090833e6e8cd07fae96f70734989097eb81a2ba12b8700d6c80d
Instruction Fuzzy Hash: 2A916774A19A188FDBA9DB18C898BA8B7F5FF59301F1041E9D00DE7265CB75AE81CF40

Function 00007FFAAC461E4F Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

0#<, xrefs: 00007FFAAC461832

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: 0#<
API String ID: 0-2017611749
Opcode ID: f736c0f41357844f9cd111bbe438ef656bf03fff3cf39082199aac7b0dc95ac6
Instruction ID: 1860a5b8c273ca1048c9c26ed431c46635cf772ad0cd5fff282a32c665393a50
Opcode Fuzzy Hash: f736c0f41357844f9cd111bbe438ef656bf03fff3cf39082199aac7b0dc95ac6
Instruction Fuzzy Hash: E581A774A09A198FDBA9DB18C898BA8B7F5FF59301F1041E9D00DE7265CB34AE85CF40

Function 00007FFAAC460A52 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

b42, xrefs: 00007FFAAC460AA1

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: b42
API String ID: 0-2662076599
Opcode ID: 3b68b3b4c6ad62c95eb5142106788f2da52907bbab6dedad12dbf708e238877b
Instruction ID: 4bc3a880278cfc8052c4b0651554eec7ca116d5715642df963d3cec6b28bb4e0
Opcode Fuzzy Hash: 3b68b3b4c6ad62c95eb5142106788f2da52907bbab6dedad12dbf708e238877b
Instruction Fuzzy Hash: A5417EB1918A498FE385CF68C8987E97FE1FB65714F90416AC00DD77A9DBB52814CB80

Function 00007FFAAC4630D0 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

r62, xrefs: 00007FFAAC46C5D8

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: r62
API String ID: 0-3442578246
Opcode ID: 13ccf676dbd91285ec095ba72fa61cc216ff44c676f912eec69bc78a7271d21c
Instruction ID: b7bfb291d47b0cda1747b0f4b6884140ef6c3a4d00b782f3a5d589ac1cab787e
Opcode Fuzzy Hash: 13ccf676dbd91285ec095ba72fa61cc216ff44c676f912eec69bc78a7271d21c
Instruction Fuzzy Hash: F721E571E0DA5D8FEB84DB5C88482EDBBF2FB89314F14826AD40DE3249DF3498058795

Function 00007FFAAC539D28 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df858284a1b0a99f438c3a97df9cc7a85a77b067beb73a2905bce5b44c0577a6
Instruction ID: eba99aef6f10148098118048b8d50735abd7aca04bfcf6846b03c92cd3f80a34
Opcode Fuzzy Hash: df858284a1b0a99f438c3a97df9cc7a85a77b067beb73a2905bce5b44c0577a6
Instruction Fuzzy Hash: 4C321661A1EB8A8FE7A5EB6C88655797FD4FF16210B0405BEF05EC7293CD28EC448781

Function 00007FFAAC53BFFD Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a8709dd9dc9080120ef6128006b8b18f2bd9f0da57ca6fb5efca3c812466df
Instruction ID: 132e95dbb553ccb8039a0ab6c23a38465b19a3dc36836841d5275c9a3b51de7a
Opcode Fuzzy Hash: d1a8709dd9dc9080120ef6128006b8b18f2bd9f0da57ca6fb5efca3c812466df
Instruction Fuzzy Hash: 4091E561A5EBC68FF356972888655247FE4EF57210B0941FFE04ECB2A3D918EC49C392

Function 00007FFAAC5322EE Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8047e03dbccbfb5e70015585eaf039015405e0284637976b2c3164d6bf079844
Instruction ID: f1d0e54c42b7e2c258101d6959d612160e61f5d656927ab11e57a58a2a6c50e2
Opcode Fuzzy Hash: 8047e03dbccbfb5e70015585eaf039015405e0284637976b2c3164d6bf079844
Instruction Fuzzy Hash: 95810270A0DE4A8FE759972C98656747BD1EB96310F0441BAE05EC72E3DD28EC4683C1

Function 00007FFAAC53D1F9 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10e64ce92cd1d24f216090a98f67563cb5bbb435d6fe5e2caf4cab5639b95d9
Instruction ID: 7a28cdcd81df7c72f20fa46e4febc699ef9d19e83575bee3bf0163afcfa91ad1
Opcode Fuzzy Hash: d10e64ce92cd1d24f216090a98f67563cb5bbb435d6fe5e2caf4cab5639b95d9
Instruction Fuzzy Hash: E471F47071CB498FE799D71C98669347BE1EF9A31070902EAF44ECB2A7D914EC068B81

Function 00007FFAAC462E90 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63c9c3cf74409b00aea4723e53a2816536313e63d56065a7253743414f1ac7d
Instruction ID: bdd84a2ab607ca03e6d5bccd7695e4085fff580d67a930d093de0b7c7e461f64
Opcode Fuzzy Hash: b63c9c3cf74409b00aea4723e53a2816536313e63d56065a7253743414f1ac7d
Instruction Fuzzy Hash: 58910970A1891D8FEB94EF68C899BACB7F1FF59304F4041A9D00DD7296DE34A884CB84

Function 00007FFAAC53C2A1 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e392baa29acef95d078b47577848f5740299418d9d322062971383becd7d825
Instruction ID: 864617fcc162dfe86406247a247c605a46dcc7b12d16f1447e83c9fdbe5598c6
Opcode Fuzzy Hash: 5e392baa29acef95d078b47577848f5740299418d9d322062971383becd7d825
Instruction Fuzzy Hash: DB51F67171CF498FEB98DB1C9865A757BD1EF9A310B4402AEF44EC7292DD20EC068782

Function 00007FFAAC530285 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1554ed6d1bea2ef72ba03e070ac153a6633daf846ced1cf1ac4881e40955ce
Instruction ID: 5fe7c863051a8d29f683db1018e25b2b945a44f35bd4e23ca0f91d37ce8c6091
Opcode Fuzzy Hash: aa1554ed6d1bea2ef72ba03e070ac153a6633daf846ced1cf1ac4881e40955ce
Instruction Fuzzy Hash: DF51097190E7C58FE75697288CA55753FE4EF97210B0942EBE04DCB2E3D918AC09C392

Function 00007FFAAC462F0D Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390575ac020744994cb0c5bb88f6d18a288584e4c51250ce6c1784a330d842a4
Instruction ID: 61524a82077d4e6ad1c252f1a3b8caf1c1aeb6f36f7d8cf847e8d46ecf10705a
Opcode Fuzzy Hash: 390575ac020744994cb0c5bb88f6d18a288584e4c51250ce6c1784a330d842a4
Instruction Fuzzy Hash: 01518F71908A4D8FEB84EF68C859AEEBBF0FF55315F00457AE409D3292DB34A844CB81

Function 00007FFAAC53031D Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849bd973e5d230c47a21052525718671eec3f3a3199e064f5540af3809273e70
Instruction ID: 31ef8c429a2c6129d6676d639e4f4ff8f9edb63595998dc748a5db7618349150
Opcode Fuzzy Hash: 849bd973e5d230c47a21052525718671eec3f3a3199e064f5540af3809273e70
Instruction Fuzzy Hash: 3E31283150EB858FE755D72888A55257FE5EF9731070942EBE04DCB6E3D818EC09C392

Function 00007FFAAC462CBD Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb90a657580f023c9bddc5902b6c8c16ee6ccd590915b7f4a47eed7f5a9cd0d7
Instruction ID: 54c7ddb5865b472608d0a25c59356f9e97679eaab569cd7744a4f947239706c3
Opcode Fuzzy Hash: bb90a657580f023c9bddc5902b6c8c16ee6ccd590915b7f4a47eed7f5a9cd0d7
Instruction Fuzzy Hash: 6F3126B590EA89DFF7659B28C8591A9FFE0FF52308F4840FAD44DC7096DA25E848C781

Function 00007FFAAC46334B Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2d01fbc95a77b4817f88c0bddc07bb5e46c8d594b0dd53c113e2505f6d8253
Instruction ID: ea3de74ef91a85bbd7a441c7bfab7139f3271c6c79291957f58d468099bb5c8c
Opcode Fuzzy Hash: 3c2d01fbc95a77b4817f88c0bddc07bb5e46c8d594b0dd53c113e2505f6d8253
Instruction Fuzzy Hash: EC212A70D1969DCFEB68DB58D8497F8B7B1FB59314F4080BAD00EE3295CA34A9848F85

Function 00007FFAAC46275A Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b4fc82477b2bf87a32c2a0bba875b8e421ae9b539f7f3b378a187a0c255a08
Instruction ID: 0f35ee77e0e905b337ef3fd529ca7787ee739c3dbaff8cd9c95fd93bbb026fba
Opcode Fuzzy Hash: 71b4fc82477b2bf87a32c2a0bba875b8e421ae9b539f7f3b378a187a0c255a08
Instruction Fuzzy Hash: 2721E770D1D689DFF794EB28C899AF9FBD0FF45314F4485B9E40DC6196CD24A8848B81

Function 00007FFAAC532119 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281e262fe55e0640c2e8a8b8f81588bbae3f8b3f5035389e22cb16041a8bd80e
Instruction ID: 6d3c39d274b14d07d5a46a4e290cfbce245eabe3fb797d6498c5c0fe0e1491f1
Opcode Fuzzy Hash: 281e262fe55e0640c2e8a8b8f81588bbae3f8b3f5035389e22cb16041a8bd80e
Instruction Fuzzy Hash: C511B461A0DA868FF399D72C88652353BD2EF99311B14407EF05EC7393DE18DC458782

Function 00007FFAAC5306E0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270b1e889f253ac398bae38be905bdedb49eca91fc7ba773675c1a952b8c3bb3
Instruction ID: e8c541fe5668cbe1304b2da53b8d743707ebb35cc5b8dcbdeaaa04808d1c2ed2
Opcode Fuzzy Hash: 270b1e889f253ac398bae38be905bdedb49eca91fc7ba773675c1a952b8c3bb3
Instruction Fuzzy Hash: 1E1106A1A1EB868FF399971C84695397FD1EF96710B1841BAE04EC72A3CD28DC098785

Function 00007FFAAC460D01 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d82197b95d3dc48c4598236dc3c5a6a0b23eaa6c382493493c45ab6a9a052f
Instruction ID: a59c292373ae1016f02e70e7a425084137171842a09bd4e02bd58d82d663edc8
Opcode Fuzzy Hash: 82d82197b95d3dc48c4598236dc3c5a6a0b23eaa6c382493493c45ab6a9a052f
Instruction Fuzzy Hash: 9F010461C0D6899FF795AB34C85A6F8BFA0FF45204F4042FAD00DC60D3DD28B9448649

Function 00007FFAAC5307CE Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1858599845.00007FFAAC530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac530000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f26c501e466c8b3eee9e1593216a975ae1f46d3bee16b4c624969f32d8c4cd
Instruction ID: 429be525e1401c544db2aaa1fb4b17caa0a370023790644d684e198fcf25fdcc
Opcode Fuzzy Hash: a2f26c501e466c8b3eee9e1593216a975ae1f46d3bee16b4c624969f32d8c4cd
Instruction Fuzzy Hash: DE11CC3061EA86CFEBA5D718C464A25BBD1EF95300B1841ADF04DC72D2CE18EC44C7C1

Function 00007FFAAC460850 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2232890a3ad0b17869e1db04fa452da78063df5ee679c9793dd67400ae75136b
Instruction ID: 6548b369710768bc8044644aeae796f2658cb17e8b3f32562d4b8eaea17bd7a4
Opcode Fuzzy Hash: 2232890a3ad0b17869e1db04fa452da78063df5ee679c9793dd67400ae75136b
Instruction Fuzzy Hash: A501DB63D0E686CBF71663ACE86A1F57F90DF43229F0C41B2E08D85197DD09A41E85DE

Function 00007FFAAC463775 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26872120d4dff20c1b87a7c8ebf1a207a5f7b1b6b7448596a2d0402d54ed8ba0
Instruction ID: 421ea45b1f6aa2f0586cd2cc22395fdf3420e0852f814c5a2a371553101c50f3
Opcode Fuzzy Hash: 26872120d4dff20c1b87a7c8ebf1a207a5f7b1b6b7448596a2d0402d54ed8ba0
Instruction Fuzzy Hash: BA014C70808A8D8FDF84EF68C858AAABBF0FF69301F0045AAD419C7261D7309554CB80

Function 00007FFAAC462EE0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a282cb300ef9c510a0636cfbb927f4403b320ec4be0518f4767b22cacfe260ed
Instruction ID: 492143e79719902f45884fa33ee50aa0695d74f22089e65eb5bbb1989f988609
Opcode Fuzzy Hash: a282cb300ef9c510a0636cfbb927f4403b320ec4be0518f4767b22cacfe260ed
Instruction Fuzzy Hash: AD01D670914A0D9FDF84EF68C849AEEBBF0FB68305F10456AA81DD3260DB70E594CB80

Function 00007FFAAC462FA8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea80365ab8b79c856716bf70937de0ae504b3973363983c7700fb99ba564c7a3
Instruction ID: e2a50b603e92ec4d184a8c0b7d2df62b4d95b52a1286c7df6b0010d0d4c58309
Opcode Fuzzy Hash: ea80365ab8b79c856716bf70937de0ae504b3973363983c7700fb99ba564c7a3
Instruction Fuzzy Hash: 40018470954A4D9FDF84EF68C849AEABBF0FB68305F10456AA81DD3264DB30E594CB81

Function 00007FFAAC4621F9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c16eed1a79f9eeace9f7911d09e106bbbaedbe949fb748fcc876cc80f088223
Instruction ID: ac4955ea34880348a08e0773e16d55777daa06f2e0e9a175a8769b757d5b9f70
Opcode Fuzzy Hash: 9c16eed1a79f9eeace9f7911d09e106bbbaedbe949fb748fcc876cc80f088223
Instruction Fuzzy Hash: 76017C70908A8DCFDB95EF68C8596AABBF0FF5A300F0505DAD418C72A2D734D944CB41

Function 00007FFAAC462F08 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bd98ca30059461bd649aa8536588732d98728b136068c8739f43687654a152
Instruction ID: 0f14014f547ec651ef4a83ee161b0086e04ab168ff482f37e09554e00b28ba7c
Opcode Fuzzy Hash: 89bd98ca30059461bd649aa8536588732d98728b136068c8739f43687654a152
Instruction Fuzzy Hash: 5E01B67091490D8FDF84EF68C848EAEBBF0FB68305F1045AAA41DD3264DB30E694CB80

Function 00007FFAAC463790 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1248e6fda843a743e2e224530bee53a25433647104a181348694809cb6247f5d
Instruction ID: 74ee231c53a50071db4d2f0217c77257eee8dc47bf0d71d89f70728056608599
Opcode Fuzzy Hash: 1248e6fda843a743e2e224530bee53a25433647104a181348694809cb6247f5d
Instruction Fuzzy Hash: 3701747091495D8FDF84EF68C848AAEBBF0FB68305F1045AAE419D3264DB71A694CB81

Function 00007FFAAC460D99 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96ff7f40bb03bcebb8993e4b2bc84cc813fc0361e597140b97deae276c30fb1
Instruction ID: a586a85e7f7f9e2a967407505c9ef21ff3ae1e6c1ed65ff42a5a07b8a0f2e06c
Opcode Fuzzy Hash: d96ff7f40bb03bcebb8993e4b2bc84cc813fc0361e597140b97deae276c30fb1
Instruction Fuzzy Hash: 61F0C27190E7889FE7569B64885D1A8BFB0EF96224F4841E7D50CC70D3EA2864488345

Function 00007FFAAC462D70 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839ab63d8fbb0621e9cc3a76cf7e51656bb670f1730475eeef967260f32f3112
Instruction ID: 43fc4d7defb1d70701b137afd366c68b817b429c872d7cc572156534c9943350
Opcode Fuzzy Hash: 839ab63d8fbb0621e9cc3a76cf7e51656bb670f1730475eeef967260f32f3112
Instruction Fuzzy Hash: 81F0F83091494C9FDF88EF68C448AA9BBB0FB69305F4045AAA40EC31A0DB31A694CB40

Function 00007FFAAC460873 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06f487f2634886a0cc7900b54ac1dec3edf9237e46b37ce9263ef63b6299741
Instruction ID: 45f82e53a1d7135b8a93392a5d5c3a5a9e760851f112707db9e1a2df6d856624
Opcode Fuzzy Hash: f06f487f2634886a0cc7900b54ac1dec3edf9237e46b37ce9263ef63b6299741
Instruction Fuzzy Hash: FCF0826181E3C98FE75763B908180A5BF30AF53208F0941E3E08CCA0D7DD18D81CC3AA

Non-executed Functions

Function 00007FFAAC4654CA Relevance: 9.1, Strings: 7, Instructions: 352COMMON

Download Yara Rule

Strings

r62, xrefs: 00007FFAAC46573A
r62, xrefs: 00007FFAAC46554B
r62, xrefs: 00007FFAAC4657DF
r62, xrefs: 00007FFAAC465695
r62, xrefs: 00007FFAAC4655F0
r62, xrefs: 00007FFAAC465929
r62, xrefs: 00007FFAAC465884

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: r62$r62$r62$r62$r62$r62$r62
API String ID: 0-625199778
Opcode ID: fc164d228edbf37e3d09a0e6d6e400839e92c24680b3f8adfb89e41a6c354403
Instruction ID: 2b37aefb1b78c30d3172039b893df766ed6d7350545913420c44991f64506e71
Opcode Fuzzy Hash: fc164d228edbf37e3d09a0e6d6e400839e92c24680b3f8adfb89e41a6c354403
Instruction Fuzzy Hash: 9ED131B1D19A5D8FEBA4EB18C899BE9B7E1FB59310F0042F9D00DD3296CA349D858F41

Function 00007FFAAC467D65 Relevance: 9.1, Strings: 7, Instructions: 338COMMON

Download Yara Rule

Strings

r62, xrefs: 00007FFAAC46811F
r62, xrefs: 00007FFAAC467F30
r62, xrefs: 00007FFAAC467DE6
r62, xrefs: 00007FFAAC46807A
r62, xrefs: 00007FFAAC4681C4
r62, xrefs: 00007FFAAC467E8B
r62, xrefs: 00007FFAAC467FD5

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: r62$r62$r62$r62$r62$r62$r62
API String ID: 0-625199778
Opcode ID: a9ab5401b7cb73e87402300372813888cc700a8324db0569ea47ce044bed3826
Instruction ID: 289e2d8c8df0fbc05e4a4a1b7f72620c00e998720d57cda5cfd50e9ce6923595
Opcode Fuzzy Hash: a9ab5401b7cb73e87402300372813888cc700a8324db0569ea47ce044bed3826
Instruction Fuzzy Hash: 8DD10DB1918A598FEB95EB18C895AE8B7E1FB55304F0081F9E01DD3296CE349E858F41

Function 00007FFAAC466FDF Relevance: 7.8, Strings: 6, Instructions: 300COMMON

Download Yara Rule

Strings

r62, xrefs: 00007FFAAC4671A7
r62, xrefs: 00007FFAAC467396
r62, xrefs: 00007FFAAC46724C
r62, xrefs: 00007FFAAC467102
r62, xrefs: 00007FFAAC4672F1
r62, xrefs: 00007FFAAC46705D

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: r62$r62$r62$r62$r62$r62
API String ID: 0-3169202230
Opcode ID: b7b4474ef4701a6e32e04781c379dc550d39ef81292675dd610d4f9b327b160c
Instruction ID: 8601d42aff68cfcf7d83f46ded0381cbc6dbe0008dceb979d011cf4d95e67abe
Opcode Fuzzy Hash: b7b4474ef4701a6e32e04781c379dc550d39ef81292675dd610d4f9b327b160c
Instruction Fuzzy Hash: DEB12F71E19A59CFEBA4DB18CC99BE8B7A1FB55301F0442F9E00DD3296CA34AD858F41

Function 00007FFAAC467462 Relevance: 7.8, Strings: 6, Instructions: 299COMMON

Download Yara Rule

Strings

r62, xrefs: 00007FFAAC46762A
r62, xrefs: 00007FFAAC4674E0
r62, xrefs: 00007FFAAC467585
r62, xrefs: 00007FFAAC4676CF
r62, xrefs: 00007FFAAC467774
r62, xrefs: 00007FFAAC467819

Memory Dump Source

Source File: 0000000C.00000002.1857515712.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffaac460000_build.jbxd

Similarity

API ID:
String ID: r62$r62$r62$r62$r62$r62
API String ID: 0-3169202230
Opcode ID: d20b165ae9a9bc13bd43c4c334424449fbebcdc65818871dd01104723aa3c3b0
Instruction ID: 781a98bb65409b2af4caea8037016cd8ec6bc686a6f057c2482a0403cc6a94c5
Opcode Fuzzy Hash: d20b165ae9a9bc13bd43c4c334424449fbebcdc65818871dd01104723aa3c3b0
Instruction Fuzzy Hash: 7DB13DB1D19A59CFEBA4DB18CC99BE8B7A1FB55310F0442F9D00DD3296CA35AD818F41

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KBvv1g0Ihn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

C:\Users\user\AppData\Local\Programs\Xavier1\Eazfuscator.NET 2024.2 Setup.msi (copy)

C:\Users\user\AppData\Local\Programs\Xavier1\build.exe (copy)

C:\Users\user\AppData\Local\Programs\Xavier1\is-3HDQ6.tmp

C:\Users\user\AppData\Local\Programs\Xavier1\is-8C5DR.tmp

C:\Users\user\AppData\Local\Programs\Xavier1\is-K1FQL.tmp

C:\Users\user\AppData\Local\Programs\Xavier1\is-NH14E.tmp

C:\Users\user\AppData\Local\Programs\Xavier1\python-3.13.0-amd64.exe (copy)

C:\Users\user\AppData\Local\Programs\Xavier1\unins000.dat

C:\Users\user\AppData\Local\Programs\Xavier1\unins000.exe (copy)

C:\Users\user\AppData\Local\Temp\is-PLHR2.tmp\KBvv1g0Ihn.tmp

C:\Users\user\AppData\Local\Temp\is-VNJ7M.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Xavier1.lnk

Windows Analysis Report
KBvv1g0Ihn.exe

Function 00007FFAAC68269B Relevance: 5.8, Strings: 4, Instructions: 782
COMMON

Function 00007FFAAC53A450 Relevance: 3.9, Strings: 2, Instructions: 1353
COMMON

Function 00007FFAAC690B26 Relevance: 2.3, Strings: 1, Instructions: 1043
COMMON

Function 00007FFAAC5316B3 Relevance: 2.3, Strings: 1, Instructions: 1007
COMMON

Function 00007FFAAC6921DB Relevance: 2.0, Strings: 1, Instructions: 733
COMMON

Function 00007FFAAC462FF0 Relevance: 4.0, Strings: 3, Instructions: 281
COMMON

Function 00007FFAAC463299 Relevance: 2.8, Strings: 2, Instructions: 319
COMMON

Function 00007FFAAC460F4F Relevance: 2.8, Strings: 2, Instructions: 316
COMMON

Function 00007FFAAC5304FD Relevance: 2.6, Strings: 2, Instructions: 72
COMMON

Function 00007FFAAC53D439 Relevance: 2.1, Strings: 1, Instructions: 876
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre