Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
axfdj9gfw.exe

Overview

General Information

Sample name:axfdj9gfw.exe
Analysis ID:1380876
MD5:a9b37e8dcb39434f179056d861c65b1a
SHA1:3a1bd50f7fee2088f64ac9013c1e3cf48437beed
SHA256:997b527ec9037e431630795f329ea53ff3ac6382d9fc8e006d93c94cd0cfd280
Tags:exeredlinestealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • axfdj9gfw.exe (PID: 6184 cmdline: C:\Users\user\Desktop\axfdj9gfw.exe MD5: A9B37E8DCB39434F179056D861C65B1A)
    • conhost.exe (PID: 3484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "45.15.156.127:48665", "Authorization Header": "e0e09506ffe823fa44f589362802e03d"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1888547004.0000000000612000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.1888190303.000000000040D000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.axfdj9gfw.exe.610000.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.axfdj9gfw.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:45.15.156.127192.168.2.448665497302043234 01/25/24-06:40:02.246018
                    SID:2043234
                    Source Port:48665
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.445.15.156.12749730486652043231 01/25/24-06:40:19.443911
                    SID:2043231
                    Source Port:49730
                    Destination Port:48665
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.445.15.156.12749730486652046045 01/25/24-06:40:02.006728
                    SID:2046045
                    Source Port:49730
                    Destination Port:48665
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:45.15.156.127192.168.2.448665497302046056 01/25/24-06:40:08.163197
                    SID:2046056
                    Source Port:48665
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: 45.15.156.127:48665Avira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 0.2.axfdj9gfw.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": "45.15.156.127:48665", "Authorization Header": "e0e09506ffe823fa44f589362802e03d"}
                    Multi AV Scanner detection for domain / URL
                    Source: 45.15.156.127:48665Virustotal: Detection: 14%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: axfdj9gfw.exeVirustotal: Detection: 52%Perma Link
                    Machine Learning detection for sample
                    Source: axfdj9gfw.exeJoe Sandbox ML: detected
                    Source: axfdj9gfw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Binary string: WINLOA~1.PDBIEnloh source: axfdj9gfw.exe, 00000000.00000003.1887544813.0000000000791000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1889299085.0000000000792000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1887316052.0000000000724000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 0604D170h0_2_0604CC90
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 0604B8C7h0_2_0604AAF0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 06047F8Ah0_2_06047B5A
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 0604840Ah0_2_06047B5A
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 0604B8C7h0_2_0604B5F5
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 0604940Eh0_2_060493ED
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then inc dword ptr [ebp-20h]0_2_060421A8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 0604D170h0_2_0604CE87
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h0_2_06DF9C08
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 06DF7562h0_2_06DF72A2
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 06DF932Bh0_2_06DF8B70
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 06DFEBF3h0_2_06DFE9C0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 06DF99FDh0_2_06DF9620
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 4x nop then jmp 06DFCAB7h0_2_06DFCA9F

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 45.15.156.127:48665
                    Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 45.15.156.127:48665
                    Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 45.15.156.127:48665 -> 192.168.2.4:49730
                    Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 45.15.156.127:48665 -> 192.168.2.4:49730
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 45.15.156.127:48665
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 45.15.156.127:48665
                    Source: Joe Sandbox ViewIP Address: 45.15.156.127 45.15.156.127
                    Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                    Source: axfdj9gfw.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: axfdj9gfw.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: axfdj9gfw.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: axfdj9gfw.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: axfdj9gfw.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: axfdj9gfw.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: axfdj9gfw.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: axfdj9gfw.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: axfdj9gfw.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                    Source: axfdj9gfw.exeString found in binary or memory: http://ocsp.digicert.com0
                    Source: axfdj9gfw.exeString found in binary or memory: http://ocsp.digicert.com0A
                    Source: axfdj9gfw.exeString found in binary or memory: http://ocsp.digicert.com0C
                    Source: axfdj9gfw.exeString found in binary or memory: http://ocsp.digicert.com0X
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002935000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002935000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002935000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002935000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002935000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.000000000274F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.000000000274F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002935000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.000000000274F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.000000000274F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                    Source: axfdj9gfw.exeString found in binary or memory: http://www.digicert.com/CPS0
                    Source: axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1888547004.0000000000612000.00000020.00001000.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1888190303.000000000040D000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://api.ip.sb/ip
                    Source: axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                    Source: axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_004010000_2_00401000
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_00404BD80_2_00404BD8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_022CDA2C0_2_022CDA2C
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_050E8B480_2_050E8B48
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_050E00400_2_050E0040
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_050E8B380_2_050E8B38
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05ACC4880_2_05ACC488
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05ACF7580_2_05ACF758
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05ACF6FD0_2_05ACF6FD
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05ACF6450_2_05ACF645
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05AC40A80_2_05AC40A8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05AFB6A80_2_05AFB6A8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05AF96C80_2_05AF96C8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05AF76600_2_05AF7660
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05AFB15F0_2_05AFB15F
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05AFB9990_2_05AFB999
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05AF69280_2_05AF6928
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05AFC8130_2_05AFC813
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B048A00_2_05B048A0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B391EC0_2_05B391EC
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B351300_2_05B35130
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B3DE300_2_05B3DE30
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B349B00_2_05B349B0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B391EC0_2_05B391EC
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B391EC0_2_05B391EC
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B6E6980_2_05B6E698
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B641C00_2_05B641C0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B616290_2_05B61629
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0604872F0_2_0604872F
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_060494A00_2_060494A0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_060402E00_2_060402E0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0604C0080_2_0604C008
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_060451300_2_06045130
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06049FA80_2_06049FA8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0604CC900_2_0604CC90
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06045A000_2_06045A00
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0604EA780_2_0604EA78
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0604AAF00_2_0604AAF0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06047B5A0_2_06047B5A
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_060494900_2_06049490
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_060402D00_2_060402D0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0604BFF80_2_0604BFF8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0604CC810_2_0604CC81
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06044DE80_2_06044DE8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0604186A0_2_0604186A
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06B5C2980_2_06B5C298
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06B500400_2_06B50040
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06B5DC680_2_06B5DC68
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06B54D290_2_06B54D29
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06B58B480_2_06B58B48
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06B588280_2_06B58828
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06B5DC570_2_06B5DC57
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF66C00_2_06DF66C0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF3FD00_2_06DF3FD0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF77E80_2_06DF77E8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF5F780_2_06DF5F78
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF9C080_2_06DF9C08
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DFCD100_2_06DFCD10
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF72A20_2_06DF72A2
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF4A610_2_06DF4A61
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF52380_2_06DF5238
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DFBB780_2_06DFBB78
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF8B700_2_06DF8B70
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF58900_2_06DF5890
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF09E00_2_06DF09E0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DFC1B80_2_06DFC1B8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF81B00_2_06DF81B0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF96200_2_06DF9620
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF77D80_2_06DF77D8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF3FC00_2_06DF3FC0
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF5F680_2_06DF5F68
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DFD4580_2_06DFD458
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF34500_2_06DF3450
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF12F80_2_06DF12F8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DFA3410_2_06DFA341
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DFBB680_2_06DFBB68
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF38100_2_06DF3810
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF38000_2_06DF3800
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_072795220_2_07279522
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_072770D80_2_072770D8
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0727563B0_2_0727563B
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_072756100_2_07275610
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_072756480_2_07275648
                    Source: axfdj9gfw.exeStatic PE information: invalid certificate
                    Source: axfdj9gfw.exe, 00000000.00000002.1888592839.0000000000654000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCadency.exe8 vs axfdj9gfw.exe
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs axfdj9gfw.exe
                    Source: axfdj9gfw.exe, 00000000.00000002.1889052950.00000000006EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs axfdj9gfw.exe
                    Source: axfdj9gfw.exe, 00000000.00000002.1888190303.000000000044E000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCadency.exe8 vs axfdj9gfw.exe
                    Source: axfdj9gfw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: axfdj9gfw.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/1@0/1
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:120:WilError_03
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: axfdj9gfw.exeVirustotal: Detection: 52%
                    Source: unknownProcess created: C:\Users\user\Desktop\axfdj9gfw.exe C:\Users\user\Desktop\axfdj9gfw.exe
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Binary string: WINLOA~1.PDBIEnloh source: axfdj9gfw.exe, 00000000.00000003.1887544813.0000000000791000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1889299085.0000000000792000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1887316052.0000000000724000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_00408000 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,___crtGetLocaleInfoEx,lstrlenW,CreateThread,Sleep,WaitForSingleObject,0_2_00408000
                    Source: axfdj9gfw.exeStatic PE information: section name: .mter
                    Source: axfdj9gfw.exeStatic PE information: section name: .ZOmo
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0040A550 push eax; ret 0_2_0040A565
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_004027C9 push ecx; ret 0_2_004027DC
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_050ED742 push eax; ret 0_2_050ED751
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B326E8 push 8B036416h; retf 0_2_05B326ED
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_05B38DCA pushad ; ret 0_2_05B38DD5
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06049DE1 pushfd ; iretd 0_2_06049DED
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_060A411C pushad ; ret 0_2_060A411D
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_060A3836 pushfd ; iretd 0_2_060A3837
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06B5851C push FFFFFF8Bh; iretd 0_2_06B5851E
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06B58561 push FFFFFF8Bh; iretd 0_2_06B58563
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF5E78 push es; ret 0_2_06DF5E84
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06DF24FE push cs; ret 0_2_06DF24FF
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWindow / User API: threadDelayed 7617Jump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWindow / User API: threadDelayed 2002Jump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-125120
                    Source: C:\Users\user\Desktop\axfdj9gfw.exe TID: 5480Thread sleep time: -20291418481080494s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: axfdj9gfw.exeBinary or memory string: gMhah2ZKgEavDrMHAxymzj1mEi8zfdOAhrbAXFO7fneic3yEm4GJw1FqMQOhLQ0eQVMcIZVAJ1JmmC5zR5ouuz7tWznsHxJkNkNuk84cKLwjUXcvBY0xD3yB9jSM5W69ZlaQPAYor1NeAOldOrlKxlM7Zqyw0TwIp9sSL17GudzXudTrMm2LHgaOSnUqSkeJPKhqqXkFtcAMwGS5nLmGy2GHww9nULrXRy2pFEAAagK36ohWHSwJY1FMzP6ukpvzRfr6
                    Source: axfdj9gfw.exe, 00000000.00000003.1887544813.0000000000791000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1889299085.0000000000792000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1887316052.0000000000724000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeAPI call chain: ExitProcess graph end nodegraph_0-125310
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_06047130 LdrInitializeThunk,0_2_06047130
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_00402C0A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00402C0A
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_00408000 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,___crtGetLocaleInfoEx,lstrlenW,CreateThread,Sleep,WaitForSingleObject,0_2_00408000
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_00408000 mov edx, dword ptr fs:[00000030h]0_2_00408000
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_00402C0A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00402C0A
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_00401422 SetUnhandledExceptionFilter,0_2_00401422
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_00405303 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00405303
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0040519E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040519E
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,___crtGetLocaleInfoEx,lstrlenW,CreateThread,Sleep,WaitForSingleObject,0_2_00408000
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: GetLocaleInfoA,0_2_00406CDC
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: ___crtGetLocaleInfoEx,0_2_00408C80
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeCode function: 0_2_0040296C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0040296C
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: axfdj9gfw.exe, 00000000.00000003.1816778908.0000000005C09000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1817034538.0000000005C0A000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1817669853.0000000005C0A000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1816829788.0000000005C0A000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1817102520.0000000005C0A000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1817588219.0000000005C0A000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1817949567.0000000005C0A000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1817739831.0000000005C0A000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1816887972.0000000005C0A000.00000004.00000020.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1814517095.0000000005C09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.axfdj9gfw.exe.610000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.axfdj9gfw.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1888547004.0000000000612000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1888190303.000000000040D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: axfdj9gfw.exe PID: 6184, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: axfdj9gfw.exeString found in binary or memory: h5e63yIDqtjVI5ShX6iuZQHZZH4tpCpb2RV7LbzieRE1QkVl00zE5kcIvhzssp51va3UZj9Lgs84kF2g4d633gXmJaxXPOECYVdOvS8dobMVeRXbRxDcExJMrdvfCiOGfl9Fmn5BsfvXn4pgmeyU7HYO8EPJEY4rsYZCha37kkL6xJ44CyBzOggEjM1mAwZgjkzi04r2dhmrDiDylN9gRAQEbhRfMw3uqqU0Ayf4IySmkEcZUuMPr3sJgWvJROUneypX
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR^q
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR^q
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q%appdata%`,^qdC:\Users\user\AppData\Roaming`,^qdC:\Users\user\AppData\Roaming\Binance
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q&%localappdata%\Coinomi\Coinomi\walletsLR^q
                    Source: axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                    Source: C:\Users\user\Desktop\axfdj9gfw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: Yara matchFile source: 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: axfdj9gfw.exe PID: 6184, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.axfdj9gfw.exe.610000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.axfdj9gfw.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1888547004.0000000000612000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1888190303.000000000040D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: axfdj9gfw.exe PID: 6184, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                    Windows Management Instrumentation                    		Path Interception1
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Native API                    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory241
                    Security Software Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)231
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Process Injection                    		NTDS231
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials124
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    axfdj9gfw.exe52%VirustotalBrowse
                    axfdj9gfw.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ip.sb/ip0%URL Reputationsafe
                    http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                    http://tempuri.org/0%VirustotalBrowse
                    http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                    http://tempuri.org/0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                    45.15.156.127:48665100%Avira URL Cloudmalware
                    http://tempuri.org/Entity/Id81%VirustotalBrowse
                    http://tempuri.org/Entity/Id91%VirustotalBrowse
                    http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                    45.15.156.127:4866514%VirustotalBrowse
                    http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id51%VirustotalBrowse
                    http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id41%VirustotalBrowse
                    http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id71%VirustotalBrowse
                    http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                    http://tempuri.org/Entity/Id61%VirustotalBrowse
                    http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id201%VirustotalBrowse
                    http://tempuri.org/Entity/Id211%VirustotalBrowse
                    http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                    http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id231%VirustotalBrowse
                    http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id24Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id241%VirustotalBrowse
                    http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id221%VirustotalBrowse
                    http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id101%VirustotalBrowse
                    http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                    http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                    http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id121%VirustotalBrowse
                    http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id131%VirustotalBrowse
                    http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id111%VirustotalBrowse
                    http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id141%VirustotalBrowse
                    http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id161%VirustotalBrowse
                    http://tempuri.org/Entity/Id171%VirustotalBrowse
                    http://tempuri.org/Entity/Id191%VirustotalBrowse
                    http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                    http://tempuri.org/Entity/Id181%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    45.15.156.127:48665true
                    • 14%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sctaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://duckduckgo.com/chrome_newtabaxfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id14ResponseDaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/Entity/Id23ResponseDaxfdj9gfw.exe, 00000000.00000002.1890894152.000000000274F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id12Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/Entity/Id2Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id21Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 4%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrapaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id9axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id8axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id6ResponseDaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id5axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepareaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id4axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id7axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id6axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id19Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 2%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issueaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Abortedaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id13ResponseDaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • 1%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/faultaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsataxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id15Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • 2%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://tempuri.org/Entity/Id5ResponseDaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • 2%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renewaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/Registeraxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id6Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • 2%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.ip.sb/ipaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1888547004.0000000000612000.00000020.00001000.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1888190303.000000000040D000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/scaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id1ResponseDaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 1%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancelaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id9Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.000000000274F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 2%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id20axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id21axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id22axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id23axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id24axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 1%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issueaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id24Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • 2%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.ecosia.org/newtab/axfdj9gfw.exe, 00000000.00000003.1818387684.000000000374A000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003865000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037BC000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000037D7000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003924000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.000000000372F000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.0000000003849000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000003.1818387684.00000000036BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id1Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 2%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Replayaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binaryaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id21ResponseDaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • 1%, Virustotal, Browse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressingaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issueaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Completionaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trustaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id10axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id11axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id10ResponseDaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id12axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id16Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 2%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancelaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id13axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id14axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id15axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id16axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Nonceaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id17axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • 1%, Virustotal, Browse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id18axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • 1%, Virustotal, Browse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id5Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id19axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • 1%, Virustotal, Browse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id15ResponseDaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id10Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/Renewaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id11ResponseDaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id8Responseaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityaxfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id17ResponseDaxfdj9gfw.exe, 00000000.00000002.1890894152.0000000002935000.00000004.00000800.00020000.00000000.sdmp, axfdj9gfw.exe, 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/soap/envelope/axfdj9gfw.exe, 00000000.00000002.1890894152.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            45.15.156.127
                                                                                                                            		unknownRussian Federation
                                                                                                                            		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:39.0.0 Ruby
                                                                                                                            Analysis ID:1380876
                                                                                                                            Start date and time:2024-01-25 06:39:06 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 4m 47s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:5
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:axfdj9gfw.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@2/1@0/1
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            • Number of executed functions: 414
                                                                                                                            • Number of non-executed functions: 0
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                            • Stop behavior analysis, all processes terminated

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            06:40:11API Interceptor70x Sleep call for process: axfdj9gfw.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            45.15.156.127last.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                                                                              edgag365.exeGet hashmaliciousRedLineBrowse
                                                                                                                                Shxdow.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  GLP3Q0PFY4.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    07CKY9gp1H.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      8as7BA35XQ.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5SystemzBrowse
                                                                                                                                        2TWG5GKJcw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                          Fx7EIIKW9R.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            pooXYQy15z.exeGet hashmaliciousRedLineBrowse

                                                                                                                                              Domains

                                                                                                                                              No context

                                                                                                                                              ASNs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtoolspub1.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                                                                                                                              • 45.15.156.60
                                                                                                                                              file.exeGet hashmaliciousRedLine, zgRATBrowse
                                                                                                                                              • 5.42.65.31
                                                                                                                                              file.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, VidarBrowse
                                                                                                                                              • 5.42.64.33
                                                                                                                                              file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 45.15.156.60
                                                                                                                                              install.msiGet hashmaliciousRMSRemoteAdmin, Remote UtilitiesBrowse
                                                                                                                                              • 5.42.92.30
                                                                                                                                              SecuriteInfo.com.Win64.Evo-gen.16085.20859.exeGet hashmaliciousAmadey, AsyncRAT, Djvu, Fabookie, LummaC Stealer, RHADAMANTHYS, RedLineBrowse
                                                                                                                                              • 5.42.64.33
                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                                              • 45.15.156.60
                                                                                                                                              file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              • 45.15.156.60
                                                                                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                              • 5.42.64.33
                                                                                                                                              x5e0c6nlpQ.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                              • 5.42.65.31

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              No context

                                                                                                                                              Dropped Files

                                                                                                                                              No context

                                                                                                                                              Created / dropped Files

                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                              Download File
                                                                                                                                              Process:C:\Users\user\Desktop\axfdj9gfw.exe
                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                              Category:dropped
                                                                                                                                              Size (bytes):3094
                                                                                                                                              Entropy (8bit):5.33145931749415
                                                                                                                                              Encrypted:false
                                                                                                                                              SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                                              MD5:2A56468A7C0F324A42EA599BF0511FAF
                                                                                                                                              SHA1:404B343A86EDEDF5B908D7359EB8AA957D1D4333
                                                                                                                                              SHA-256:6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
                                                                                                                                              SHA-512:19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
                                                                                                                                              Malicious:false
                                                                                                                                              Reputation:high, very likely benign file
                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                              Static File Info

                                                                                                                                              General

                                                                                                                                              File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                              Entropy (8bit):5.841754761426282
                                                                                                                                              TrID:
                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                                                                              • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                              File name:axfdj9gfw.exe
                                                                                                                                              File size:410'777 bytes
                                                                                                                                              MD5:a9b37e8dcb39434f179056d861c65b1a
                                                                                                                                              SHA1:3a1bd50f7fee2088f64ac9013c1e3cf48437beed
                                                                                                                                              SHA256:997b527ec9037e431630795f329ea53ff3ac6382d9fc8e006d93c94cd0cfd280
                                                                                                                                              SHA512:208756d89964717db398ffef9099a67b9817b8c3eaa9f1f1047af6c4f0f6fae9cb7718fc17ec1fc1bfc9c4eb72c2ad4756187ac926f0b73fa66384a71f4f1b13
                                                                                                                                              SSDEEP:6144:PZPNyGs1uI87eNPG5kKnyATxszAJGUN1xXNgZb1cEVMsdJnWQ2If:xPmZb1cOdAQ2a
                                                                                                                                              TLSH:F4948CE1B170D5BCCC4CE637B315C059FC807867A9E772EA34844A9629EA76C5680FE3
                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\p..=...=...=...o...=...o...=...o...=....e..=..92C..=...=...=...E...=...E...=..Rich.=..........................PE..L......e...

                                                                                                                                              File Icon

                                                                                                                                              Icon Hash:90cececece8e8eb0

                                                                                                                                              Static PE Info

                                                                                                                                              General

                                                                                                                                              Entrypoint:0x4013d6
                                                                                                                                              Entrypoint Section:.text
                                                                                                                                              Digitally signed:true
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              Subsystem:windows cui
                                                                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                              Time Stamp:0x65AD8C86 [Sun Jan 21 21:28:38 2024 UTC]
                                                                                                                                              TLS Callbacks:
                                                                                                                                              CLR (.Net) Version:
                                                                                                                                              OS Version Major:5
                                                                                                                                              OS Version Minor:0
                                                                                                                                              File Version Major:5
                                                                                                                                              File Version Minor:0
                                                                                                                                              Subsystem Version Major:5
                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                              Import Hash:06eb4d13e1bb2dcafbe526f4a64db1ae

                                                                                                                                              Authenticode Signature

                                                                                                                                              Signature Valid:false
                                                                                                                                              Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                              Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                              Error Number:-2146869232
                                                                                                                                              Not Before, Not After
                                                                                                                                              • 04/10/2023 01:00:00 04/10/2024 00:59:59
                                                                                                                                              Subject Chain
                                                                                                                                              • CN=Spotify AB, O=Spotify AB, L=Stockholm, C=SE, SERIALNUMBER=556703-7485, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=SE
                                                                                                                                              Version:3
                                                                                                                                              Thumbprint MD5:4D560750375195A86BA5F8F90C38104E
                                                                                                                                              Thumbprint SHA-1:AD50220499F12C553C03F7B4C172392DB8FC737B
                                                                                                                                              Thumbprint SHA-256:88AE80188017EFC3EB7550C57F8D18A0A76CD36BE1DE1EC47A5E85A0E5C2438A
                                                                                                                                              Serial:0FAB670A61BF4B7DAFD559356B5BCCFF

                                                                                                                                              Entrypoint Preview

                                                                                                                                              Instruction
                                                                                                                                              call 00007F3E28BCB446h
                                                                                                                                              jmp 00007F3E28BC9D59h
                                                                                                                                              mov edi, edi
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              mov eax, dword ptr [ebp+08h]
                                                                                                                                              mov eax, dword ptr [eax]
                                                                                                                                              cmp dword ptr [eax], E06D7363h
                                                                                                                                              jne 00007F3E28BC9EDCh
                                                                                                                                              cmp dword ptr [eax+10h], 03h
                                                                                                                                              jne 00007F3E28BC9ED6h
                                                                                                                                              mov eax, dword ptr [eax+14h]
                                                                                                                                              cmp eax, 19930520h
                                                                                                                                              je 00007F3E28BC9EC7h
                                                                                                                                              cmp eax, 19930521h
                                                                                                                                              je 00007F3E28BC9EC0h
                                                                                                                                              cmp eax, 19930522h
                                                                                                                                              je 00007F3E28BC9EB9h
                                                                                                                                              cmp eax, 01994000h
                                                                                                                                              jne 00007F3E28BC9EB7h
                                                                                                                                              call 00007F3E28BCB49Bh
                                                                                                                                              xor eax, eax
                                                                                                                                              pop ebp
                                                                                                                                              retn 0004h
                                                                                                                                              push 004013E0h
                                                                                                                                              call dword ptr [0040B05Ch]
                                                                                                                                              xor eax, eax
                                                                                                                                              ret
                                                                                                                                              mov edi, edi
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              push edi
                                                                                                                                              mov edi, 000003E8h
                                                                                                                                              push edi
                                                                                                                                              call dword ptr [0040B04Ch]
                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                              call dword ptr [0040B060h]
                                                                                                                                              add edi, 000003E8h
                                                                                                                                              cmp edi, 0000EA60h
                                                                                                                                              jnbe 00007F3E28BC9EB6h
                                                                                                                                              test eax, eax
                                                                                                                                              je 00007F3E28BC9E90h
                                                                                                                                              pop edi
                                                                                                                                              pop ebp
                                                                                                                                              ret
                                                                                                                                              mov edi, edi
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              call 00007F3E28BCA35Eh
                                                                                                                                              push dword ptr [ebp+08h]
                                                                                                                                              call 00007F3E28BCA1ABh
                                                                                                                                              push dword ptr [0045720Ch]
                                                                                                                                              call 00007F3E28BCAC6Ah
                                                                                                                                              push 000000FFh
                                                                                                                                              call eax
                                                                                                                                              add esp, 0Ch
                                                                                                                                              pop ebp
                                                                                                                                              ret
                                                                                                                                              mov edi, edi
                                                                                                                                              push ebp
                                                                                                                                              mov ebp, esp
                                                                                                                                              push 0040B190h
                                                                                                                                              call dword ptr [0040B060h]
                                                                                                                                              test eax, eax
                                                                                                                                              je 00007F3E28BC9EC7h

                                                                                                                                              Rich Headers

                                                                                                                                              Programming Language:
                                                                                                                                              • [C++] VS2008 build 21022
                                                                                                                                              • [ASM] VS2008 build 21022
                                                                                                                                              • [ C ] VS2008 build 21022
                                                                                                                                              • [IMP] VS2005 build 50727
                                                                                                                                              • [C++] VS2008 SP1 build 30729
                                                                                                                                              • [LNK] VS2008 SP1 build 30729

                                                                                                                                              Data Directories

                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x590000x43.ZOmo
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc5640x64.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x61b510x2948.ZOmo
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0xb0000x130.rdata
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                              Sections

                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                              .text0x10000x647b0x66009b36aed5aa5405f54613dfd7d84433d8False0.6128216911764706data6.565266899794431IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                              .reloc0x80000x191a0x1a0067cfca2e7143eaa54200bc81c8d8bf67False0.6564002403846154data5.9317383627267555IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                              .mter0xa0000x56c0x6009fdee55dfefdd43ebc8ebffa41cb5346False0.7311197916666666data5.538151635038849IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                              .rdata0xb0000x1c480x1e00a0c2d1c336e8b4396acf1b85e2d2dac6False0.34075520833333334data5.3318001654700575IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                              .data0xd0000x4ba1c0x4b0003c7e7d2079ae8bda4e77dbdf1f09f64bFalse0.3780078125data4.991872197551278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                              .ZOmo0x590000xd0000xc351f828ecd3940cfaee0684701b9b07ee13False0.751964960700786data5.960669258235354IMAGE_SCN_MEM_READ

                                                                                                                                              Imports

                                                                                                                                              DLLImport
                                                                                                                                              KERNEL32.dllFreeConsole, VirtualAlloc, LoadLibraryA, GetProcAddress, lstrlenW, CreateThread, Sleep, WaitForSingleObject, VirtualProtect, GetCommandLineA, SetUnhandledExceptionFilter, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, HeapReAlloc, RtlUnwind, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW
                                                                                                                                              GDI32.dllGetObjectA, GetStockObject, DeleteObject, SetBkMode, SelectObject, CreateFontIndirectA, SetTextColor
                                                                                                                                              COMDLG32.dllGetOpenFileNameA, GetSaveFileNameA
                                                                                                                                              ADVAPI32.dllRegDeleteKeyA

                                                                                                                                              Network Behavior

                                                                                                                                              Snort IDS Alerts

                                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                              45.15.156.127192.168.2.448665497302043234 01/25/24-06:40:02.246018TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response486654973045.15.156.127192.168.2.4
                                                                                                                                              192.168.2.445.15.156.12749730486652043231 01/25/24-06:40:19.443911TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4973048665192.168.2.445.15.156.127
                                                                                                                                              192.168.2.445.15.156.12749730486652046045 01/25/24-06:40:02.006728TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4973048665192.168.2.445.15.156.127
                                                                                                                                              45.15.156.127192.168.2.448665497302046056 01/25/24-06:40:08.163197TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)486654973045.15.156.127192.168.2.4

                                                                                                                                              Network Port Distribution

                                                                                                                                              TCP Packets

                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                              Jan 25, 2024 06:40:00.890129089 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:01.127357006 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:01.127444029 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:01.308650017 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:01.546643972 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:01.601835966 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:02.006727934 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:02.246017933 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:02.289350033 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:07.925118923 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:08.163197041 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:08.163254976 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:08.163315058 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:08.163352013 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:08.163391113 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:08.163429022 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:08.163429022 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:08.211210012 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:08.591900110 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:08.828005075 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:08.879973888 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:09.117037058 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:09.154949903 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:09.390470028 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:09.390511036 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:09.390546083 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:09.391074896 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:09.450835943 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:09.492511988 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:09.728566885 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:09.776530981 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:13.480003119 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:13.715532064 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:13.716680050 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:13.736793995 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:13.972767115 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:14.023844004 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:14.107197046 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:14.343329906 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:14.356498957 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:14.592650890 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:14.624191999 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:14.859941006 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:14.869281054 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:15.105242968 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:15.111021042 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:15.348776102 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:15.349881887 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:15.589678049 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:15.633105040 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:15.802951097 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:16.039203882 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:16.048527002 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:16.284430981 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:16.288314104 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:16.533440113 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:16.584275007 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:16.820286989 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:16.867542028 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:16.945497990 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.182779074 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.182842970 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.182878971 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.182918072 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.182954073 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.182986975 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.182996035 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.183150053 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.223375082 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.223567963 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.418832064 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.418880939 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.418917894 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.418962955 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.418991089 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.418998003 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.419058084 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.419091940 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.419154882 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.419254065 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.419337034 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.419411898 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.419642925 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.419676065 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.419751883 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.419785023 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.419934988 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.419984102 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.420022964 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.420092106 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.459039927 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.459235907 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.655461073 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.655580997 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.655668020 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.656203985 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.656363010 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.656399012 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.656431913 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.656491041 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.656771898 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.656804085 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.656836033 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.656867027 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.656898975 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657037973 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657072067 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657149076 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657182932 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.657183886 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657219887 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657250881 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657313108 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.657382011 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657500982 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657579899 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657692909 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657905102 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.657941103 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.658015966 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.694803953 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.891772032 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.891943932 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.892256021 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.892445087 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.892561913 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.892771006 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.892807007 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.892924070 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.892956018 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.893237114 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.893270016 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.893347979 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.893461943 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.893495083 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.893528938 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.893724918 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.893798113 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.893832922 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.893866062 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.894177914 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.894356012 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.894787073 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.894860983 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.895342112 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.895375013 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.895886898 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.895920038 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.895951986 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.937238932 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:17.937494993 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:17.937643051 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:18.128472090 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.128532887 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.128566027 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.128602028 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.128633976 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.128667116 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.129195929 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.129230976 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.129266024 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.129376888 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.129411936 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.129674911 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.129880905 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.129937887 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.129972935 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.130466938 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.130729914 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.131042004 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.131371975 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:18.131551981 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:18.173162937 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.173223019 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.173259974 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.173434019 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.173613071 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.173645020 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.173679113 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.173763990 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.174123049 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.174158096 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.174190044 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.174221992 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.174324989 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.174357891 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.174521923 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.174734116 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.174871922 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.174905062 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.175610065 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.175642967 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.175725937 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.176151991 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:18.176358938 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:18.368314028 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368377924 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368412018 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368446112 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368478060 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368511915 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368545055 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368577957 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368612051 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368643999 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368674040 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368705988 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368736982 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368767023 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368798971 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368830919 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.368863106 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.371602058 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:18.371731043 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:18.412091970 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.412293911 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.412328959 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.412360907 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.412394047 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.412427902 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.412462950 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.412496090 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.412528038 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.412625074 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.412662029 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.413834095 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.413866997 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.413918972 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.413954020 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.413986921 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.414019108 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.414052010 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.414468050 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:18.414587975 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:18.607289076 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.607450962 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.607485056 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.607611895 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.607932091 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.607964993 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.608041048 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.608083010 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.608181000 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.608196020 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.608355999 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.608371019 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.608551025 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.608962059 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.608977079 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.609013081 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.609401941 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:18.650270939 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.650291920 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.650459051 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.650476933 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.650491953 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.650506973 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.650552988 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.650742054 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.650830030 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.650950909 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.651036978 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.651163101 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.651182890 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.651309967 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.651324987 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.651559114 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.651846886 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.692111015 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.844878912 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.844897032 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.845309019 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.845535040 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.845551968 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.846316099 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:18.898726940 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:18.970639944 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:19.206059933 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:19.206080914 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:19.206096888 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:19.206113100 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:19.206832886 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:19.207258940 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:19.442913055 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:19.443911076 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:19.682143927 CET486654973045.15.156.127192.168.2.4
                                                                                                                                              Jan 25, 2024 06:40:19.726866961 CET4973048665192.168.2.445.15.156.127
                                                                                                                                              Jan 25, 2024 06:40:19.835103989 CET4973048665192.168.2.445.15.156.127

                                                                                                                                              Statistics

                                                                                                                                              CPU Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              Memory Usage

                                                                                                                                              Click to jump to process

                                                                                                                                              High Level Behavior Distribution

                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                              Behavior

                                                                                                                                              Click to jump to process

                                                                                                                                              System Behavior

                                                                                                                                              General

                                                                                                                                              Target ID:0
                                                                                                                                              Start time:06:39:53
                                                                                                                                              Start date:25/01/2024
                                                                                                                                              Path:C:\Users\user\Desktop\axfdj9gfw.exe
                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                              Commandline:C:\Users\user\Desktop\axfdj9gfw.exe
                                                                                                                                              Imagebase:0x400000
                                                                                                                                              File size:410'777 bytes
                                                                                                                                              MD5 hash:A9B37E8DCB39434F179056D861C65B1A
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                                              Yara matches:
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1890894152.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1888547004.0000000000612000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1888190303.000000000040D000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1890894152.0000000002998000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                              Reputation:low
                                                                                                                                              Has exited:true

                                                                                                                                              General

                                                                                                                                              Target ID:1
                                                                                                                                              Start time:06:39:54
                                                                                                                                              Start date:25/01/2024
                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                              File size:862'208 bytes
                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                              Has elevated privileges:true
                                                                                                                                              Has administrator privileges:true
                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                              Reputation:high
                                                                                                                                              Has exited:true

                                                                                                                                              Disassembly

                                                                                                                                              Reset < >