Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Agent.446.6903.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Agent.446.6903.exe
Analysis ID:1384466
MD5:c8b5dcfbdbf417d517edf952f366ef7f
SHA1:be435b97e7f057d5d82bbed7a01fc857c4bdae75
SHA256:d4e47ed98b4f06008fddd350f0516a0b2f1f8b1a1bdbb027328aa5b1b00b1893
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Agent.446.6903.exe (PID: 6496 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exe MD5: C8B5DCFBDBF417D517EDF952F366EF7F)
    • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.15.156.127:48665"], "Authorization Header": "502b9ebb15fe09bd8cf1ab568d1e9df0"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1887950311.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1888124901.0000000000F22000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.ea9000.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.ea9000.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.f20000.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.e90000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:45.15.156.127192.168.2.448665497302043234 02/01/24-02:52:04.219457
                        SID:2043234
                        Source Port:48665
                        Destination Port:49730
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.445.15.156.12749730486652043231 02/01/24-02:52:19.959258
                        SID:2043231
                        Source Port:49730
                        Destination Port:48665
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:192.168.2.445.15.156.12749730486652046045 02/01/24-02:52:03.983916
                        SID:2046045
                        Source Port:49730
                        Destination Port:48665
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:45.15.156.127192.168.2.448665497302046056 02/01/24-02:52:10.200070
                        SID:2046056
                        Source Port:48665
                        Destination Port:49730
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: 45.15.156.127:48665Avira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.f20000.2.unpackMalware Configuration Extractor: RedLine {"C2 url": ["45.15.156.127:48665"], "Authorization Header": "502b9ebb15fe09bd8cf1ab568d1e9df0"}
                        Multi AV Scanner detection for domain / URL
                        Source: 45.15.156.127:48665Virustotal: Detection: 14%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeVirustotal: Detection: 27%Perma Link
                        Machine Learning detection for sample
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeJoe Sandbox ML: detected
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 45.15.156.127:48665
                        Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 45.15.156.127:48665
                        Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 45.15.156.127:48665 -> 192.168.2.4:49730
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 45.15.156.127:48665 -> 192.168.2.4:49730
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 45.15.156.127:48665
                        Source: global trafficTCP traffic: 192.168.2.4:49730 -> 45.15.156.127:48665
                        Source: Joe Sandbox ViewIP Address: 45.15.156.127 45.15.156.127
                        Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://ocsp.digicert.com0
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://ocsp.digicert.com0A
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://ocsp.digicert.com0C
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://ocsp.digicert.com0X
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000034DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000034DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeString found in binary or memory: http://www.digicert.com/CPS0
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1887950311.0000000000EA9000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1888124901.0000000000F22000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E9E0310_2_00E9E031
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E910000_2_00E91000
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_0175DCD40_2_0175DCD4
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_05E3BCE40_2_05E3BCE4
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_05E3E6980_2_05E3E698
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_05E316290_2_05E31629
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_05E316380_2_05E31638
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_05E301440_2_05E30144
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: String function: 00E923A0 appears 33 times
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeStatic PE information: invalid certificate
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1889086283.00000000014BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.Agent.446.6903.exe
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Agent.446.6903.exe
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1887950311.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCadency.exe8 vs SecuriteInfo.com.Trojan.Agent.446.6903.exe
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1888221313.0000000000F64000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCadency.exe8 vs SecuriteInfo.com.Trojan.Agent.446.6903.exe
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/1@0/1
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeVirustotal: Detection: 27%
                        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exe
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32Jump to behavior
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E9F000 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,lstrlenW,CreateThread,Sleep,WaitForSingleObject,0_2_00E9F000
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeStatic PE information: section name: .xzyutr
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exeStatic PE information: section name: .61g2
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00EA1520 push eax; ret 0_2_00EA1540
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E9E764 push ecx; ret 0_2_00E9E777
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_07054530 push es; ret 0_2_070547A4
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_070547FE pushfd ; iretd 0_2_070547FF
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_070540F4 pushad ; ret 0_2_0705410D
                        Source: 0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.ea9000.1.raw.unpack, Egqpp0PKPHOlFlNdwj.csHigh entropy of concatenated method names: 'iWahvCn78', 'YqdgDAAES', 'Vi2d0tJRG', 'h7D91LL4y', 'S00NNYkxV', 'efeKkRfuw', 'eiIBWe6DK', 'tpP8STgbb', 'HFmURtgDU', 'Vi37uhDcy'
                        Source: 0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.ea9000.1.raw.unpack, WqRlSAmCMMEPWUm5Kg.csHigh entropy of concatenated method names: 'RV3EpiPs2', 'ha7CuiPJK', 'qiEwoierw', 'T4pkk5xr1', 'I7ruw25FQ', 'KJSjoTPGA', 'up0S1Len5', 'fKHDXKkRW', 'N26WZLh6F', 'jfaOtxD3o'
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeMemory allocated: 16F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeMemory allocated: 3350000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeMemory allocated: 1990000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWindow / User API: threadDelayed 2098Jump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWindow / User API: threadDelayed 7379Jump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exe TID: 7084Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1886719478.0000000001A3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "Vmcirb8bimipc
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1887600512.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1889176837.00000000014F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E96594 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E96594
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E9F000 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,lstrlenW,CreateThread,Sleep,WaitForSingleObject,0_2_00E9F000
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E9F000 mov eax, dword ptr fs:[00000030h]0_2_00E9F000
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E9944F GetProcessHeap,0_2_00E9944F
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E925D3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00E925D3
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E96594 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E96594
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E9217E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E9217E
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E922DA SetUnhandledExceptionFilter,0_2_00E922DA
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E923E5 cpuid 0_2_00E923E5
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeCode function: 0_2_00E92065 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00E92065
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.ea9000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.ea9000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.f20000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.e90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1887950311.0000000000EA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1888124901.0000000000F22000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Agent.446.6903.exe PID: 6496, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\walletsLRkqP
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq-cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRkq
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRkqt
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLRkq
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq%appdata%`,kqdC:\Users\user\AppData\Roaming`,kqdC:\Users\user\AppData\Roaming\Binance
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLRkqt
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq&%localappdata%\Coinomi\Coinomi\walletsLRkq
                        Source: SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $kq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: Yara matchFile source: 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Agent.446.6903.exe PID: 6496, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.ea9000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.ea9000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.f20000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Agent.446.6903.exe.e90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1887950311.0000000000EA9000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1888124901.0000000000F22000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Agent.446.6903.exe PID: 6496, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Native API                        		Boot or Logon Initialization Scripts1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		LSASS Memory241
                        Security Software Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials124
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        SecuriteInfo.com.Trojan.Agent.446.6903.exe27%VirustotalBrowse
                        SecuriteInfo.com.Trojan.Agent.446.6903.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                        http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                        http://tempuri.org/0%VirustotalBrowse
                        http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id91%VirustotalBrowse
                        http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                        45.15.156.127:48665100%Avira URL Cloudmalware
                        http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id81%VirustotalBrowse
                        http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                        http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id51%VirustotalBrowse
                        http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                        45.15.156.127:4866514%VirustotalBrowse
                        http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id71%VirustotalBrowse
                        http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id61%VirustotalBrowse
                        http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                        http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id41%VirustotalBrowse
                        http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id201%VirustotalBrowse
                        http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id211%VirustotalBrowse
                        http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id221%VirustotalBrowse
                        http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id231%VirustotalBrowse
                        http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id111%VirustotalBrowse
                        http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id241%VirustotalBrowse
                        http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                        http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id24Response2%VirustotalBrowse
                        http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id121%VirustotalBrowse
                        http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id101%VirustotalBrowse
                        http://tempuri.org/Entity/Id141%VirustotalBrowse
                        http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id151%VirustotalBrowse
                        http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id161%VirustotalBrowse
                        http://tempuri.org/Entity/Id181%VirustotalBrowse
                        http://tempuri.org/Entity/Id171%VirustotalBrowse
                        http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id131%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        45.15.156.127:48665true
                        • 14%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id14ResponseDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 2%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id23ResponseDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinarySecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id12ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 2%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id2ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 2%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id21ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 4%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id9SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id6ResponseDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003700000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id5SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id4SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id7SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id19ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 2%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id13ResponseDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • 1%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/faultSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2004/10/wsatSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://tempuri.org/Entity/Id15ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • 2%, Virustotal, Browse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://tempuri.org/Entity/Id5ResponseDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000034DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • 2%, Virustotal, Browse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id6ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 2%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeySecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.ip.sb/ipSecuriteInfo.com.Trojan.Agent.446.6903.exe, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1887950311.0000000000EA9000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1888124901.0000000000F22000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/04/scSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id1ResponseDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 1%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id9ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 2%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id20SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 1%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id21SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 1%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://tempuri.org/Entity/Id22SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 1%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id23SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • 1%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id24SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 1%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id24ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • 2%, Virustotal, Browse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.ecosia.org/newtab/SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.0000000004615000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000003.1820939594.00000000045FA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1892043673.0000000004637000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id1ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • 2%, Virustotal, Browse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlySecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplaySecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinarySecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeySecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id21ResponseDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • 1%, Virustotal, Browse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trustSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id10SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id11SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id10ResponseDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id12SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id16ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 2%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id13SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • 1%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id14SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • 1%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id15SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • 1%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id16SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • 1%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/NonceSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id17SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • 1%, Virustotal, Browse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id18SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • 1%, Virustotal, Browse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id5ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id19SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id15ResponseDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id10ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RenewSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id11ResponseDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id8ResponseSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeySecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2006/02/addressingidentitySecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id17ResponseDSecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.00000000034DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/soap/envelope/SecuriteInfo.com.Trojan.Agent.446.6903.exe, 00000000.00000002.1890169746.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high

                                                                                                                                World Map of Contacted IPs

                                                                                                                                • No. of IPs < 25%
                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                • 75% < No. of IPs

                                                                                                                                Public IPs

                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                45.15.156.127
                                                                                                                                		unknownRussian Federation
                                                                                                                                		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                                                                General Information

                                                                                                                                Joe Sandbox version:39.0.0 Ruby
                                                                                                                                Analysis ID:1384466
                                                                                                                                Start date and time:2024-02-01 02:51:06 +01:00
                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                Overall analysis duration:0h 4m 21s
                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                Report type:full
                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                Number of analysed new started processes analysed:5
                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                Number of existing processes analysed:0
                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                Number of injected processes analysed:0
                                                                                                                                Technologies:
                                                                                                                                • HCA enabled
                                                                                                                                • EGA enabled
                                                                                                                                • AMSI enabled
                                                                                                                                Analysis Mode:default
                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                Sample name:SecuriteInfo.com.Trojan.Agent.446.6903.exe
                                                                                                                                Detection:MAL
                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@2/1@0/1
                                                                                                                                EGA Information:
                                                                                                                                • Successful, ratio: 100%
                                                                                                                                HCA Information:
                                                                                                                                • Successful, ratio: 100%
                                                                                                                                • Number of executed functions: 76
                                                                                                                                • Number of non-executed functions: 29
                                                                                                                                Cookbook Comments:
                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                • Stop behavior analysis, all processes terminated

                                                                                                                                Warnings

                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                Simulations

                                                                                                                                Behavior and APIs

                                                                                                                                TimeTypeDescription
                                                                                                                                02:52:11API Interceptor64x Sleep call for process: SecuriteInfo.com.Trojan.Agent.446.6903.exe modified

                                                                                                                                Joe Sandbox View / Context

                                                                                                                                IPs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                45.15.156.127axfdj9gfw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  last.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                                                                                    edgag365.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      Shxdow.exeGet hashmaliciousRedLineBrowse
                                                                                                                                        GLP3Q0PFY4.exeGet hashmaliciousRedLineBrowse
                                                                                                                                          07CKY9gp1H.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            8as7BA35XQ.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5SystemzBrowse
                                                                                                                                              2TWG5GKJcw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                Fx7EIIKW9R.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                  pooXYQy15z.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASNs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUKFHX2S263Y.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                    • 5.42.64.33
                                                                                                                                                    SecuriteInfo.com.Win32.BotX-gen.27212.21808.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                    • 5.42.64.4
                                                                                                                                                    EL76BXXsn2.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, Xmrig, zgRATBrowse
                                                                                                                                                    • 5.42.65.31
                                                                                                                                                    file.exeGet hashmaliciousAmadey, Fabookie, Glupteba, Stealc, VidarBrowse
                                                                                                                                                    • 5.42.64.33
                                                                                                                                                    Dolphin.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                    • 45.15.156.167
                                                                                                                                                    file.exeGet hashmaliciousGlupteba, GuLoader, Socks5Systemz, StealcBrowse
                                                                                                                                                    • 5.42.64.33
                                                                                                                                                    file.exeGet hashmaliciousBabuk, Djvu, RedLine, SmokeLoader, Stealc, Vidar, XmrigBrowse
                                                                                                                                                    • 45.15.156.201
                                                                                                                                                    Investor.exeGet hashmaliciousLummaC, Pure Miner, RedLine, XmrigBrowse
                                                                                                                                                    • 45.15.156.43
                                                                                                                                                    SecuriteInfo.com.Win32.PWSX-gen.23950.2214.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                    • 5.42.64.33
                                                                                                                                                    file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                    • 45.15.156.201

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                                    Download File
                                                                                                                                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exe
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):3094
                                                                                                                                                    Entropy (8bit):5.33145931749415
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                                                    MD5:2A56468A7C0F324A42EA599BF0511FAF
                                                                                                                                                    SHA1:404B343A86EDEDF5B908D7359EB8AA957D1D4333
                                                                                                                                                    SHA-256:6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
                                                                                                                                                    SHA-512:19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                    Entropy (8bit):6.060996774914389
                                                                                                                                                    TrID:
                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                    File name:SecuriteInfo.com.Trojan.Agent.446.6903.exe
                                                                                                                                                    File size:461'977 bytes
                                                                                                                                                    MD5:c8b5dcfbdbf417d517edf952f366ef7f
                                                                                                                                                    SHA1:be435b97e7f057d5d82bbed7a01fc857c4bdae75
                                                                                                                                                    SHA256:d4e47ed98b4f06008fddd350f0516a0b2f1f8b1a1bdbb027328aa5b1b00b1893
                                                                                                                                                    SHA512:4c3513e4bee0b6d2235878141da9a74b8a363ad49306b2f47a8e5e274ed63a83867eaf3577602c2fd054305ac3e4fb10df029dc3f7f148b0ab46cacbce8b5008
                                                                                                                                                    SSDEEP:6144:PgHn0ajsNmRY44LKisu1z9rnlyFqYRGeIcIraNUlG7:P0n0afRnXA9LPYRGTaNKG7
                                                                                                                                                    TLSH:02A49EBD74D3AC50E472CC779758F6783A3BBD21FD504A52E5396A2E0D302836FA4A12
                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........z...)...)...)...(...)...(...)...(...)...(...)...)...).l.(...).l.(...).l.(...)...)...).l.(...)Rich...).......................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                                                                    Static PE Info

                                                                                                                                                    General

                                                                                                                                                    Entrypoint:0x401e07
                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                    Digitally signed:true
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    Subsystem:windows cui
                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                    Time Stamp:0x65BACEA4 [Wed Jan 31 22:50:12 2024 UTC]
                                                                                                                                                    TLS Callbacks:
                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                    OS Version Major:6
                                                                                                                                                    OS Version Minor:0
                                                                                                                                                    File Version Major:6
                                                                                                                                                    File Version Minor:0
                                                                                                                                                    Subsystem Version Major:6
                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                    Import Hash:f427f7e2d298a968a6955e590f98f31e

                                                                                                                                                    Authenticode Signature

                                                                                                                                                    Signature Valid:false
                                                                                                                                                    Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                    Error Number:-2146869232
                                                                                                                                                    Not Before, Not After
                                                                                                                                                    • 04/10/2023 01:00:00 04/10/2024 00:59:59
                                                                                                                                                    Subject Chain
                                                                                                                                                    • CN=Spotify AB, O=Spotify AB, L=Stockholm, C=SE, SERIALNUMBER=556703-7485, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=SE
                                                                                                                                                    Version:3
                                                                                                                                                    Thumbprint MD5:4D560750375195A86BA5F8F90C38104E
                                                                                                                                                    Thumbprint SHA-1:AD50220499F12C553C03F7B4C172392DB8FC737B
                                                                                                                                                    Thumbprint SHA-256:88AE80188017EFC3EB7550C57F8D18A0A76CD36BE1DE1EC47A5E85A0E5C2438A
                                                                                                                                                    Serial:0FAB670A61BF4B7DAFD559356B5BCCFF

                                                                                                                                                    Entrypoint Preview

                                                                                                                                                    Instruction
                                                                                                                                                    call 00007FCF45927F8Bh
                                                                                                                                                    jmp 00007FCF45927B59h
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                                                                                    push esi
                                                                                                                                                    mov ecx, dword ptr [eax+3Ch]
                                                                                                                                                    add ecx, eax
                                                                                                                                                    movzx eax, word ptr [ecx+14h]
                                                                                                                                                    lea edx, dword ptr [ecx+18h]
                                                                                                                                                    add edx, eax
                                                                                                                                                    movzx eax, word ptr [ecx+06h]
                                                                                                                                                    imul esi, eax, 28h
                                                                                                                                                    add esi, edx
                                                                                                                                                    cmp edx, esi
                                                                                                                                                    je 00007FCF45927CFBh
                                                                                                                                                    mov ecx, dword ptr [ebp+0Ch]
                                                                                                                                                    cmp ecx, dword ptr [edx+0Ch]
                                                                                                                                                    jc 00007FCF45927CECh
                                                                                                                                                    mov eax, dword ptr [edx+08h]
                                                                                                                                                    add eax, dword ptr [edx+0Ch]
                                                                                                                                                    cmp ecx, eax
                                                                                                                                                    jc 00007FCF45927CEEh
                                                                                                                                                    add edx, 28h
                                                                                                                                                    cmp edx, esi
                                                                                                                                                    jne 00007FCF45927CCCh
                                                                                                                                                    xor eax, eax
                                                                                                                                                    pop esi
                                                                                                                                                    pop ebp
                                                                                                                                                    ret
                                                                                                                                                    mov eax, edx
                                                                                                                                                    jmp 00007FCF45927CDBh
                                                                                                                                                    push esi
                                                                                                                                                    call 00007FCF45928443h
                                                                                                                                                    test eax, eax
                                                                                                                                                    je 00007FCF45927D02h
                                                                                                                                                    mov eax, dword ptr fs:[00000018h]
                                                                                                                                                    mov esi, 00463B3Ch
                                                                                                                                                    mov edx, dword ptr [eax+04h]
                                                                                                                                                    jmp 00007FCF45927CE6h
                                                                                                                                                    cmp edx, eax
                                                                                                                                                    je 00007FCF45927CF2h
                                                                                                                                                    xor eax, eax
                                                                                                                                                    mov ecx, edx
                                                                                                                                                    lock cmpxchg dword ptr [esi], ecx
                                                                                                                                                    test eax, eax
                                                                                                                                                    jne 00007FCF45927CD2h
                                                                                                                                                    xor al, al
                                                                                                                                                    pop esi
                                                                                                                                                    ret
                                                                                                                                                    mov al, 01h
                                                                                                                                                    pop esi
                                                                                                                                                    ret
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    cmp dword ptr [ebp+08h], 00000000h
                                                                                                                                                    jne 00007FCF45927CE9h
                                                                                                                                                    mov byte ptr [00463B40h], 00000001h
                                                                                                                                                    call 00007FCF4592822Eh
                                                                                                                                                    call 00007FCF45928C62h
                                                                                                                                                    test al, al
                                                                                                                                                    jne 00007FCF45927CE6h
                                                                                                                                                    xor al, al
                                                                                                                                                    pop ebp
                                                                                                                                                    ret
                                                                                                                                                    call 00007FCF4592B96Ah
                                                                                                                                                    test al, al
                                                                                                                                                    jne 00007FCF45927CECh
                                                                                                                                                    push 00000000h
                                                                                                                                                    call 00007FCF45928C69h
                                                                                                                                                    pop ecx
                                                                                                                                                    jmp 00007FCF45927CCBh
                                                                                                                                                    mov al, 01h
                                                                                                                                                    pop ebp
                                                                                                                                                    ret
                                                                                                                                                    push ebp
                                                                                                                                                    mov ebp, esp
                                                                                                                                                    cmp byte ptr [00463B41h], 00000000h
                                                                                                                                                    je 00007FCF45927CE6h
                                                                                                                                                    mov al, 01h

                                                                                                                                                    Data Directories

                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x670000x43.61g2
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x17b7c0x28.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x6e3510x2948.61g2
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x650000x1058.reloc
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x170600x1c.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x16fa00x40.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x120000x12c.rdata
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                    Sections

                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                    .text0x10000xdae30xdc00af7c0227010b72a89ef9757ff8333d4fFalse0.5969637784090909data6.616748031599695IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .reloc0xf0000x16d10x180066910900a81ac799b74a242149cf928fFalse0.6705729166666666data5.834583863481259IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .xzyutr0x110000x54b0x600900d3de3bf9cfa1ec0eaee1f6440afa9False0.7135416666666666data5.449253860816083IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .rdata0x120000x62220x64001d65cee4a8f013ce04933270fdbc306eFalse0.428203125data4.860739753245819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                    .data0x190000x4b5700x4ac00740d553c2a18e1f946de3f42844990c1False0.3778774299749164data4.983940276706137IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                    .reloc0x650000x10580x120087ac271cc8cdbb64979329ee4fef320cFalse0.7185329861111112data6.252663721569749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                    .61g20x670000xd0000xc35160bdcf21b6bcd3ab062b3246f5219394False0.752044959100818data5.959889322138283IMAGE_SCN_MEM_READ

                                                                                                                                                    Imports

                                                                                                                                                    DLLImport
                                                                                                                                                    KERNEL32.dllVirtualProtect, VirtualAlloc, LoadLibraryA, GetProcAddress, lstrlenW, CreateThread, Sleep, WaitForSingleObject, FreeConsole, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, WriteConsoleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, CompareStringW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

                                                                                                                                                    Network Behavior

                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                    45.15.156.127192.168.2.448665497302043234 02/01/24-02:52:04.219457TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response486654973045.15.156.127192.168.2.4
                                                                                                                                                    192.168.2.445.15.156.12749730486652043231 02/01/24-02:52:19.959258TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4973048665192.168.2.445.15.156.127
                                                                                                                                                    192.168.2.445.15.156.12749730486652046045 02/01/24-02:52:03.983916TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4973048665192.168.2.445.15.156.127
                                                                                                                                                    45.15.156.127192.168.2.448665497302046056 02/01/24-02:52:10.200070TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)486654973045.15.156.127192.168.2.4

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Feb 1, 2024 02:52:02.937184095 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:03.172914982 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:03.173089027 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:03.292448997 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:03.527266026 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:03.569655895 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:03.983916044 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:04.219456911 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:04.272780895 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:09.963097095 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:10.200069904 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:10.200191021 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:10.200234890 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:10.200273037 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:10.200315952 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:10.200382948 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:10.200382948 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:10.241538048 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:10.686477900 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:10.921961069 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:10.968693018 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:11.203911066 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:11.257148981 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:11.335225105 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:11.569610119 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:11.581955910 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:11.817101002 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:11.866533041 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:14.026945114 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:14.261111021 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:14.262190104 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:14.268518925 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:14.503977060 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:14.529284000 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:14.766061068 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:14.819814920 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:14.858191013 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:15.093127012 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:15.147860050 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:15.304760933 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:15.540236950 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:15.585397959 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:15.769340992 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.003504992 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.004391909 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.054044962 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.130992889 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.365398884 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.365459919 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.365499020 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.365562916 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.366003036 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.366107941 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.406440973 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.406636953 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.599786997 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.599845886 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.599903107 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.600027084 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.600105047 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.600193024 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.600229025 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.600264072 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.600296021 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.600337982 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.600501060 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.600616932 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.600650072 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.600723028 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.600755930 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.600833893 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.601028919 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.601108074 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.601145029 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.601176977 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.601207972 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.601237059 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.640897989 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.640980005 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.834445000 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.834481955 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.834512949 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.834569931 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.834645987 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.834743023 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.834778070 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.834810019 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.834965944 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.835020065 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.835184097 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.835427999 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.835462093 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.835493088 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.835536957 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.835675955 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.835783005 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.835813999 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.835897923 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.836138964 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.836199999 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.836234093 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.836280107 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:16.836291075 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.836410046 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.836441040 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.836592913 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.836623907 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.836656094 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.837047100 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.837080002 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.837111950 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.837142944 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.837177992 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.837208986 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.837444067 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.837477922 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.837670088 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.837743998 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.837817907 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.875543118 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:16.875627041 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.070904016 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.070965052 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.071000099 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.071033955 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.071208954 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.071244001 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.071276903 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.071388960 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.071518898 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.071543932 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.071878910 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.071912050 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.072068930 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.072384119 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.072618008 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.072695971 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.072729111 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.072766066 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.072798014 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.073026896 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.073124886 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.305754900 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.305972099 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.306005955 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.306127071 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.306160927 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.306278944 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.306577921 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.306819916 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307001114 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307034969 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307148933 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307180882 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307214022 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307311058 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307379007 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307411909 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307622910 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307655096 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307686090 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307693958 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.307718039 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.307787895 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.307988882 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.308223963 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.308305979 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.308377028 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.308408976 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.308520079 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.308811903 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.308873892 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.541584015 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.541743994 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.541876078 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.541965961 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.541982889 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.542026043 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.542042971 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.542426109 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.542490959 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.542673111 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.542752028 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.542768955 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.542783976 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.542886972 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.542995930 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.543011904 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.543315887 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.543488979 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.543504953 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.543668985 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.543692112 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.544018030 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.544034958 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.544231892 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.544248104 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.544261932 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.544307947 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.544394016 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.544450998 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.544622898 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.544713974 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.544948101 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.544989109 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.545336962 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.545372963 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.545448065 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.545463085 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.545732021 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.545792103 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.545862913 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.546557903 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.546627998 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:17.778537989 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.778594017 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.778630018 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.778662920 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.778841972 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.778879881 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.778911114 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.779030085 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.779063940 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.779098988 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.779155970 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.779187918 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.779220104 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.780369043 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.780481100 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.780515909 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.780667067 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.780699968 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.780731916 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.780930996 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.781182051 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.781214952 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.781311989 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.781383991 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.781416893 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.781543970 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.781577110 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:17.783900976 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:18.018193960 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:18.018299103 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:18.018352985 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:18.018517017 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:18.019764900 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:18.029722929 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:18.264528036 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:18.269185066 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:18.503725052 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:18.504832029 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:18.739327908 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:18.747936010 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:18.982578993 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:19.000776052 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:19.235055923 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:19.235224962 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:19.241518021 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:19.477284908 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:19.487746000 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:19.723078012 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:19.723547935 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:19.958190918 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:19.959258080 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:20.196418047 CET486654973045.15.156.127192.168.2.4
                                                                                                                                                    Feb 1, 2024 02:52:20.241739035 CET4973048665192.168.2.445.15.156.127
                                                                                                                                                    Feb 1, 2024 02:52:20.307856083 CET4973048665192.168.2.445.15.156.127

                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Target ID:0
                                                                                                                                                    Start time:02:51:56
                                                                                                                                                    Start date:01/02/2024
                                                                                                                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Agent.446.6903.exe
                                                                                                                                                    Imagebase:0xe90000
                                                                                                                                                    File size:461'977 bytes
                                                                                                                                                    MD5 hash:C8B5DCFBDBF417D517EDF952F366EF7F
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1887950311.0000000000EA9000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1888124901.0000000000F22000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1890169746.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1890169746.0000000003719000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                    Reputation:low
                                                                                                                                                    Has exited:true

                                                                                                                                                    General

                                                                                                                                                    Target ID:1
                                                                                                                                                    Start time:02:51:56
                                                                                                                                                    Start date:01/02/2024
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high
                                                                                                                                                    Has exited:true

                                                                                                                                                    Disassembly

                                                                                                                                                    Reset < >

                                                                                                                                                      Execution Graph

                                                                                                                                                      Execution Coverage:10.3%
                                                                                                                                                      Dynamic/Decrypted Code Coverage:16.9%
                                                                                                                                                      Signature Coverage:6.2%
                                                                                                                                                      Total number of Nodes:308
                                                                                                                                                      Total number of Limit Nodes:13
                                                                                                                                                      execution_graph 36778 175d360 DuplicateHandle 36779 175d3f6 36778->36779 37176 17546c0 37177 17546dc 37176->37177 37178 17546ee 37177->37178 37180 17547f8 37177->37180 37181 175481d 37180->37181 37185 1754908 37181->37185 37189 17548f9 37181->37189 37186 175492f 37185->37186 37187 1754a0c 37186->37187 37193 17544f0 37186->37193 37191 1754908 37189->37191 37190 1754a0c 37190->37190 37191->37190 37192 17544f0 CreateActCtxA 37191->37192 37192->37190 37194 1755998 CreateActCtxA 37193->37194 37196 1755a5b 37194->37196 36780 ea1000 36782 ea100e 36780->36782 36781 ea1487 36782->36781 36784 e9f000 36782->36784 36786 e9f242 36784->36786 36785 e9f2f6 36785->36781 36786->36785 36787 e9f346 VirtualAlloc 36786->36787 36791 e9f37f __InternalCxxFrameHandler 36787->36791 36788 e9faca LoadLibraryA 36788->36791 36789 e9fcee GetPEB 36792 ea0267 __InternalCxxFrameHandler 36789->36792 36790 e9fb26 GetProcAddress 36793 e9fb7d 36790->36793 36794 e9fb61 GetProcAddress 36790->36794 36791->36785 36791->36788 36791->36790 36797 e9fbba 36791->36797 36795 ea0289 lstrlenW 36792->36795 36796 ea02cf CreateThread 36792->36796 36793->36791 36794->36793 36795->36796 36798 ea04fa WaitForSingleObject 36796->36798 36799 ea04d3 Sleep 36796->36799 36797->36789 36801 e91b80 VirtualProtect 36797->36801 36798->36785 36799->36798 36801->36797 36802 e91c85 36803 e91c91 ___scrt_is_nonwritable_in_current_image 36802->36803 36828 e91e87 36803->36828 36805 e91df1 36848 e9217e IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter CallUnexpected 36805->36848 36807 e91c98 36807->36805 36816 e91cc2 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 36807->36816 36808 e91df8 36849 e95540 21 API calls CallUnexpected 36808->36849 36810 e91dfe 36850 e95504 21 API calls CallUnexpected 36810->36850 36812 e91e06 36813 e91ce1 36814 e91d62 36839 e951b2 36814->36839 36816->36813 36816->36814 36844 e9551a 68 API calls 4 library calls 36816->36844 36818 e91d68 36843 ea1520 FreeConsole 36818->36843 36820 e91d7f 36845 e92298 GetModuleHandleW 36820->36845 36822 e91d89 36822->36808 36823 e91d8d 36822->36823 36824 e91d96 36823->36824 36846 e954f5 21 API calls CallUnexpected 36823->36846 36847 e91ffb 75 API calls ___scrt_uninitialize_crt 36824->36847 36827 e91d9f 36827->36813 36829 e91e90 36828->36829 36851 e923e5 IsProcessorFeaturePresent 36829->36851 36831 e91e9c 36852 e92e1e 10 API calls 2 library calls 36831->36852 36833 e91ea1 36834 e91ea5 36833->36834 36853 e95b33 36833->36853 36834->36807 36837 e91ebc 36837->36807 36840 e951bb 36839->36840 36841 e951c0 36839->36841 36866 e94f0c 36840->36866 36841->36818 36843->36820 36844->36814 36845->36822 36846->36824 36847->36827 36848->36808 36849->36810 36850->36812 36851->36831 36852->36833 36857 e9946a 36853->36857 36856 e92e3d 7 API calls 2 library calls 36856->36834 36858 e9947a 36857->36858 36859 e91eae 36857->36859 36858->36859 36861 e98694 36858->36861 36859->36837 36859->36856 36862 e9869b 36861->36862 36863 e986de GetStdHandle 36862->36863 36864 e98740 36862->36864 36865 e986f1 GetFileType 36862->36865 36863->36862 36864->36858 36865->36862 36867 e94f15 36866->36867 36868 e94f2b 36866->36868 36867->36868 36872 e94f38 36867->36872 36868->36841 36870 e94f22 36870->36868 36889 e950a3 15 API calls 3 library calls 36870->36889 36873 e94f41 36872->36873 36874 e94f44 36872->36874 36873->36870 36890 e978e5 36874->36890 36879 e94f61 36918 e94f92 29 API calls 4 library calls 36879->36918 36880 e94f55 36917 e968e1 14 API calls __dosmaperr 36880->36917 36883 e94f5b 36883->36870 36884 e94f68 36919 e968e1 14 API calls __dosmaperr 36884->36919 36886 e94f85 36920 e968e1 14 API calls __dosmaperr 36886->36920 36888 e94f8b 36888->36870 36889->36868 36891 e94f4a 36890->36891 36892 e978ee 36890->36892 36896 e97e23 GetEnvironmentStringsW 36891->36896 36921 e9633b 36892->36921 36897 e97e3b 36896->36897 36898 e94f4f 36896->36898 37129 e97d80 WideCharToMultiByte CallUnexpected 36897->37129 36898->36879 36898->36880 36900 e97e58 36901 e97e6d 36900->36901 36902 e97e62 FreeEnvironmentStringsW 36900->36902 36903 e98a40 15 API calls 36901->36903 36902->36898 36904 e97e74 36903->36904 36905 e97e8d 36904->36905 36906 e97e7c 36904->36906 37131 e97d80 WideCharToMultiByte CallUnexpected 36905->37131 37130 e968e1 14 API calls __dosmaperr 36906->37130 36909 e97e81 FreeEnvironmentStringsW 36909->36898 36910 e97e9d 36911 e97eac 36910->36911 36912 e97ea4 36910->36912 37133 e968e1 14 API calls __dosmaperr 36911->37133 37132 e968e1 14 API calls __dosmaperr 36912->37132 36915 e97eaa FreeEnvironmentStringsW 36915->36898 36917->36883 36918->36884 36919->36886 36920->36888 36922 e9634c 36921->36922 36923 e96346 36921->36923 36927 e96352 36922->36927 36973 e9927d 6 API calls __dosmaperr 36922->36973 36972 e9923e 6 API calls __dosmaperr 36923->36972 36926 e96366 36926->36927 36928 e9636a 36926->36928 36931 e96357 36927->36931 36981 e95c90 68 API calls CallUnexpected 36927->36981 36974 e96884 14 API calls __dosmaperr 36928->36974 36949 e976f0 36931->36949 36932 e96376 36934 e9637e 36932->36934 36935 e96393 36932->36935 36975 e9927d 6 API calls __dosmaperr 36934->36975 36977 e9927d 6 API calls __dosmaperr 36935->36977 36938 e9639f 36939 e963a3 36938->36939 36940 e963b2 36938->36940 36978 e9927d 6 API calls __dosmaperr 36939->36978 36979 e960ae 14 API calls __dosmaperr 36940->36979 36944 e963bd 36980 e968e1 14 API calls __dosmaperr 36944->36980 36945 e96390 36945->36927 36946 e9638a 36976 e968e1 14 API calls __dosmaperr 36946->36976 36948 e963c4 36948->36931 36982 e97845 36949->36982 36954 e97733 36954->36891 36957 e9775a 37009 e97940 36957->37009 36958 e9774c 37020 e968e1 14 API calls __dosmaperr 36958->37020 36962 e97792 37021 e96871 14 API calls __dosmaperr 36962->37021 36964 e97797 37022 e968e1 14 API calls __dosmaperr 36964->37022 36966 e977ad 36970 e977d9 36966->36970 37023 e968e1 14 API calls __dosmaperr 36966->37023 36971 e97822 36970->36971 37024 e97369 29 API calls 2 library calls 36970->37024 37025 e968e1 14 API calls __dosmaperr 36971->37025 36972->36922 36973->36926 36974->36932 36975->36946 36976->36945 36977->36938 36978->36946 36979->36944 36980->36948 36983 e97851 ___scrt_is_nonwritable_in_current_image 36982->36983 36985 e9786b 36983->36985 37026 e9828e EnterCriticalSection 36983->37026 36986 e9771a 36985->36986 37029 e95c90 68 API calls CallUnexpected 36985->37029 36993 e97477 36986->36993 36987 e978a7 37028 e978c4 LeaveCriticalSection CallUnexpected 36987->37028 36991 e9787b 36991->36987 37027 e968e1 14 API calls __dosmaperr 36991->37027 37030 e96f7b 36993->37030 36996 e97498 GetOEMCP 36998 e974c1 36996->36998 36997 e974aa 36997->36998 36999 e974af GetACP 36997->36999 36998->36954 37000 e98a40 36998->37000 36999->36998 37001 e98a7e 37000->37001 37002 e98a4e 37000->37002 37042 e96871 14 API calls __dosmaperr 37001->37042 37003 e98a69 HeapAlloc 37002->37003 37008 e98a52 __dosmaperr 37002->37008 37005 e98a7c 37003->37005 37003->37008 37006 e97744 37005->37006 37006->36957 37006->36958 37008->37001 37008->37003 37041 e99512 EnterCriticalSection LeaveCriticalSection __dosmaperr 37008->37041 37010 e97477 70 API calls 37009->37010 37012 e97960 37010->37012 37011 e97a65 37054 e925c5 37011->37054 37012->37011 37014 e9799d IsValidCodePage 37012->37014 37019 e979b8 CallUnexpected 37012->37019 37014->37011 37015 e979af 37014->37015 37017 e979d8 GetCPInfo 37015->37017 37015->37019 37016 e97787 37016->36962 37016->36966 37017->37011 37017->37019 37043 e9754b 37019->37043 37020->36954 37021->36964 37022->36954 37023->36970 37024->36971 37025->36954 37026->36991 37027->36987 37028->36985 37031 e96f99 37030->37031 37032 e96f92 37030->37032 37031->37032 37038 e96280 68 API calls 3 library calls 37031->37038 37032->36996 37032->36997 37034 e96fba 37039 e9a0d0 68 API calls __strnicoll 37034->37039 37036 e96fd0 37040 e9a12e 68 API calls __strnicoll 37036->37040 37038->37034 37039->37036 37040->37032 37041->37008 37042->37006 37044 e97573 GetCPInfo 37043->37044 37045 e9763c 37043->37045 37044->37045 37050 e9758b 37044->37050 37047 e925c5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 37045->37047 37048 e976ee 37047->37048 37048->37011 37061 e98a8e 37050->37061 37053 e9ab73 71 API calls 37053->37045 37055 e925cd 37054->37055 37056 e925ce IsProcessorFeaturePresent 37054->37056 37055->37016 37058 e92610 37056->37058 37128 e925d3 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 37058->37128 37060 e926f3 37060->37016 37062 e96f7b __strnicoll 68 API calls 37061->37062 37063 e98aae 37062->37063 37081 e97cc6 37063->37081 37065 e98b6a 37068 e925c5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 37065->37068 37066 e98b62 37084 e98b8f 14 API calls ___free_lconv_mon 37066->37084 37067 e98adb 37067->37065 37067->37066 37070 e98a40 15 API calls 37067->37070 37072 e98b00 CallUnexpected __alloca_probe_16 37067->37072 37071 e975f3 37068->37071 37070->37072 37076 e9ab73 37071->37076 37072->37066 37073 e97cc6 CallUnexpected MultiByteToWideChar 37072->37073 37074 e98b49 37073->37074 37074->37066 37075 e98b50 GetStringTypeW 37074->37075 37075->37066 37077 e96f7b __strnicoll 68 API calls 37076->37077 37078 e9ab86 37077->37078 37087 e9a984 37078->37087 37085 e97c2e 37081->37085 37084->37065 37086 e97c3f MultiByteToWideChar 37085->37086 37086->37067 37088 e9a99f 37087->37088 37089 e97cc6 CallUnexpected MultiByteToWideChar 37088->37089 37092 e9a9e3 37089->37092 37090 e9ab5e 37091 e925c5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 37090->37091 37093 e97614 37091->37093 37092->37090 37094 e98a40 15 API calls 37092->37094 37096 e9aa09 __alloca_probe_16 37092->37096 37107 e9aab1 37092->37107 37093->37053 37094->37096 37097 e97cc6 CallUnexpected MultiByteToWideChar 37096->37097 37096->37107 37098 e9aa52 37097->37098 37098->37107 37115 e9930a 37098->37115 37101 e9aa88 37104 e9930a 7 API calls 37101->37104 37101->37107 37102 e9aac0 37103 e9ab49 37102->37103 37105 e98a40 15 API calls 37102->37105 37108 e9aad2 __alloca_probe_16 37102->37108 37126 e98b8f 14 API calls ___free_lconv_mon 37103->37126 37104->37107 37105->37108 37127 e98b8f 14 API calls ___free_lconv_mon 37107->37127 37108->37103 37109 e9930a 7 API calls 37108->37109 37110 e9ab15 37109->37110 37110->37103 37124 e97d80 WideCharToMultiByte CallUnexpected 37110->37124 37112 e9ab2f 37112->37103 37113 e9ab38 37112->37113 37125 e98b8f 14 API calls ___free_lconv_mon 37113->37125 37116 e98f7d LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 37115->37116 37117 e99315 37116->37117 37118 e9931b LCMapStringEx 37117->37118 37119 e99342 37117->37119 37123 e99362 37118->37123 37120 e99367 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 37119->37120 37121 e9935b LCMapStringW 37120->37121 37121->37123 37123->37101 37123->37102 37123->37107 37124->37112 37125->37107 37126->37107 37127->37090 37128->37060 37129->36900 37130->36909 37131->36910 37132->36915 37133->36915 37134 175d118 37135 175d15e GetCurrentProcess 37134->37135 37137 175d1b0 GetCurrentThread 37135->37137 37138 175d1a9 37135->37138 37139 175d1e6 37137->37139 37140 175d1ed GetCurrentProcess 37137->37140 37138->37137 37139->37140 37143 175d223 37140->37143 37141 175d24b GetCurrentThreadId 37142 175d27c 37141->37142 37143->37141 37144 175ad98 37148 175ae90 37144->37148 37156 175ae80 37144->37156 37145 175ada7 37149 175aea1 37148->37149 37150 175aec4 37148->37150 37149->37150 37164 175b128 37149->37164 37168 175b118 37149->37168 37150->37145 37151 175aebc 37151->37150 37152 175b0c8 GetModuleHandleW 37151->37152 37153 175b0f5 37152->37153 37153->37145 37157 175aea1 37156->37157 37158 175aec4 37156->37158 37157->37158 37162 175b128 LoadLibraryExW 37157->37162 37163 175b118 LoadLibraryExW 37157->37163 37158->37145 37159 175aebc 37159->37158 37160 175b0c8 GetModuleHandleW 37159->37160 37161 175b0f5 37160->37161 37161->37145 37162->37159 37163->37159 37166 175b13c 37164->37166 37165 175b161 37165->37151 37166->37165 37172 175a8d0 37166->37172 37170 175b128 37168->37170 37169 175b161 37169->37151 37170->37169 37171 175a8d0 LoadLibraryExW 37170->37171 37171->37169 37174 175b308 LoadLibraryExW 37172->37174 37175 175b381 37174->37175 37175->37165

                                                                                                                                                      Executed Functions

                                                                                                                                                      Function 00E9F000 Relevance: 21.2, APIs: 8, Strings: 3, Instructions: 1904memoryCOMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 294 e9f000-e9f2f0 call e91000 297 e9f302-e9f327 294->297 298 e9f2f6-e9f2fd 294->298 300 e9f33a-e9f340 297->300 301 e9f32d-e9f335 297->301 299 ea06c3-ea06d0 298->299 302 e9f346-e9f379 VirtualAlloc 300->302 301->302 303 e9f39a-e9f722 call e92700 302->303 304 e9f37f-e9f388 302->304 308 e9f729-e9f735 303->308 304->303 305 e9f38e-e9f395 304->305 305->299 309 e9f73b-e9f77e call e92700 308->309 310 e9f783-e9f81b 308->310 309->308 312 e9f8de-e9fab0 310->312 313 e9f821-e9f836 310->313 314 e9fab7-e9fac4 312->314 316 e9f83d-e9f843 313->316 317 e9fbba 314->317 318 e9faca-e9faf2 LoadLibraryA 314->318 319 e9f8d9 316->319 320 e9f849-e9f86b 316->320 324 e9fbc1-e9fbcd 317->324 321 e9faf8 318->321 322 e9fafd-e9fb0f 318->322 319->312 323 e9f872-e9f878 320->323 325 e9fbac-e9fbb5 321->325 326 e9fb16-e9fb20 322->326 327 e9f87e-e9f88d 323->327 328 e9f8c2-e9f8d4 323->328 329 e9fcee-ea0283 GetPEB call e92700 324->329 330 e9fbd3-e9fbf4 324->330 325->314 331 e9fba7 326->331 332 e9fb26-e9fb5b GetProcAddress 326->332 333 e9f8ab-e9f8bd 327->333 334 e9f893-e9f8a9 327->334 328->316 344 ea0289-ea02cc lstrlenW 329->344 345 ea02cf-ea04cd CreateThread 329->345 335 e9fc28-e9fc33 330->335 336 e9fbfa-e9fc05 330->336 331->325 341 e9fb7d-e9fba2 332->341 342 e9fb61-e9fb7a GetProcAddress 332->342 333->323 334->333 339 e9fc39-e9fc44 335->339 340 e9fc56-e9fc61 335->340 336->335 343 e9fc0b-e9fc16 336->343 339->340 346 e9fc4a-e9fc51 339->346 347 e9fc84-e9fc8f 340->347 348 e9fc67-e9fc72 340->348 341->326 342->341 343->335 349 e9fc1c-e9fc23 343->349 344->345 351 ea04fa-ea06bc WaitForSingleObject 345->351 352 ea04d3-ea04f7 Sleep 345->352 353 e9fca6 346->353 355 e9fc9c 347->355 356 e9fc95 347->356 348->347 354 e9fc78-e9fc7f 348->354 350 e9fcab-e9fcdb call e91b80 349->350 359 e9fce0-e9fce9 350->359 351->299 352->351 353->350 357 e9fca1 354->357 355->357 356->355 357->353 359->324
                                                                                                                                                      APIs
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1887891991.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                                                                                                                      • Associated: 00000000.00000002.1887865035.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1887923708.0000000000EA2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1887950311.0000000000EA9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1887950311.0000000000EEA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1888017349.0000000000EF5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      • Associated: 00000000.00000002.1888017349.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_e90000_SecuriteInfo.jbxd
                                                                                                                                                      Yara matches
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                                      • String ID: $C:\\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe$z
                                                                                                                                                      • API String ID: 4275171209-2249875393
                                                                                                                                                      • Opcode ID: 79d1668fcbd47d92550e70a834c0b12b6ad7ce26379939201c74987faf515ed8
                                                                                                                                                      • Instruction ID: cbe8863561f0aaf03f8533c65469c4679eda12501f7441e93fc9ddcb51750780
                                                                                                                                                      • Opcode Fuzzy Hash: 79d1668fcbd47d92550e70a834c0b12b6ad7ce26379939201c74987faf515ed8
                                                                                                                                                      • Instruction Fuzzy Hash: B4C26A77D11B1D4BE704CA7CCC853A8BAA2EBC9320F51E732D869EB7D4C73889458681
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 05E3E698 Relevance: 8.3, Strings: 6, Instructions: 776COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 555 5e3e698-5e3e6a4 556 5e3e716-5e3e71f 555->556 557 5e3e6a6-5e3e6aa 555->557 558 5e3e721-5e3e726 556->558 559 5e3e728-5e3e75d 556->559 560 5e3e6b0-5e3e6b6 557->560 561 5e3e764-5e3e76d 557->561 558->559 559->561 564 5e3e6b8-5e3e6bb 560->564 565 5e3e6bd 560->565 562 5e3e776-5e3e7e0 561->562 563 5e3e76f-5e3e774 561->563 585 5e3e7e2 562->585 586 5e3e810-5e3e815 562->586 563->562 568 5e3e6c0-5e3e6c4 564->568 565->568 571 5e3e6c6-5e3e6d4 568->571 572 5e3e6da-5e3e6df 568->572 571->572 573 5e3e6e1-5e3e6e7 572->573 574 5e3e6ef-5e3e6f7 572->574 573->574 766 5e3e6f9 call 5e3e7b9 574->766 767 5e3e6f9 call 5e3e688 574->767 768 5e3e6f9 call 5e3e698 574->768 578 5e3e6ff-5e3e703 580 5e3e705-5e3e709 578->580 581 5e3e70f-5e3e713 578->581 580->581 587 5e3e7e5-5e3e7f8 585->587 588 5e3e7fa-5e3e802 587->588 589 5e3e818-5e3e84e 587->589 590 5e3e80a-5e3e80e 588->590 592 5e3e854-5e3e858 589->592 593 5e3ebbc-5e3ebc5 589->593 590->586 590->587 594 5e3ebf0-5e3ec5a 592->594 595 5e3e85e-5e3e870 592->595 596 5e3ebc7-5e3ebcc 593->596 597 5e3ebce-5e3ebe9 593->597 623 5e3ec64-5e3ec67 594->623 624 5e3ec5c-5e3ec62 594->624 602 5e3e876-5e3e8bf 595->602 603 5e3e95d-5e3e966 595->603 596->597 597->594 628 5e3e8d3-5e3e8dd 602->628 629 5e3e8c1-5e3e8cb 602->629 605 5e3e97a-5e3e984 603->605 606 5e3e968-5e3e972 603->606 609 5e3e986-5e3e9a4 605->609 610 5e3e9ac-5e3e9bd 605->610 606->605 609->610 616 5e3e9bf-5e3e9c5 610->616 617 5e3e9cd-5e3e9e8 610->617 616->617 760 5e3e9ea call 5e3f097 617->760 761 5e3e9ea call 5e3ee46 617->761 762 5e3e9ea call 5e3e7b9 617->762 763 5e3e9ea call 5e3e688 617->763 764 5e3e9ea call 5e3e698 617->764 765 5e3e9ea call 5e3ec38 617->765 626 5e3ec6a-5e3ec71 623->626 624->626 632 5e3ec73-5e3ec7a 626->632 633 5e3ec7d-5e3ec96 626->633 627 5e3e9f0-5e3ebb9 630 5e3e905-5e3e916 628->630 631 5e3e8df-5e3e8fd 628->631 629->628 641 5e3e926-5e3e958 630->641 642 5e3e918-5e3e91e 630->642 631->630 639 5e3ecb4-5e3ecc0 633->639 640 5e3ec98-5e3ecb1 633->640 644 5e3ecc6-5e3ed03 call 5e32660 639->644 645 5e3f08d-5e3f091 639->645 640->639 641->627 642->641 682 5e3ef60-5e3ef67 644->682 683 5e3ed09-5e3ed14 644->683 647 5e3f093-5e3f095 645->647 648 5e3f0f8-5e3f0fb 645->648 652 5e3f0f0-5e3f0f6 647->652 651 5e3f0ff 648->651 656 5e3f153-5e3f15a 651->656 657 5e3f101-5e3f124 651->657 652->648 655 5e3f0a0-5e3f0a6 652->655 660 5e3f15d-5e3f16a 655->660 661 5e3f0ac-5e3f0bb 655->661 676 5e3f132 657->676 677 5e3f126-5e3f130 657->677 669 5e3f171-5e3f172 660->669 670 5e3f16c 660->670 667 5e3f0ef 661->667 668 5e3f0bd-5e3f0e7 661->668 667->652 668->667 672 5e3f174 669->672 673 5e3f179-5e3f19b 669->673 670->651 675 5e3f16e 670->675 678 5e3f175-5e3f178 672->678 680 5e3f1ab-5e3f1b4 673->680 681 5e3f19d-5e3f1a9 673->681 675->678 684 5e3f170 675->684 687 5e3f13c-5e3f14c 676->687 677->687 678->673 686 5e3f1b7-5e3f1bb 680->686 681->686 688 5e3f07b-5e3f087 682->688 689 5e3ef6d-5e3efd3 682->689 696 5e3ed62-5e3ed92 683->696 697 5e3ed16-5e3ed1d 683->697 684->669 691 5e3f1e2-5e3f1ee 686->691 692 5e3f1bd-5e3f1df 686->692 687->656 688->644 688->645 739 5e3efd5-5e3efdc 689->739 740 5e3f04b-5e3f078 689->740 704 5e3f1f0-5e3f1f9 691->704 705 5e3f1fc-5e3f217 call 5e3c640 691->705 712 5e3ed98-5e3ee1b call 5e32660 * 3 696->712 713 5e3ee1d-5e3ee36 696->713 699 5e3ed4b-5e3ed5e 697->699 700 5e3ed1f-5e3ed43 697->700 699->696 700->699 719 5e3f221 705->719 720 5e3f219-5e3f21f 705->720 718 5e3ee38-5e3ee43 712->718 713->718 718->682 722 5e3f223-5e3f236 719->722 720->722 769 5e3f239 call 5e3f291 722->769 770 5e3f239 call 5e3f298 722->770 726 5e3f23c-5e3f263 call 5e3d1e0 736 5e3f265 726->736 737 5e3f26e 726->737 736->737 739->740 742 5e3efde-5e3f049 call 5e32660 * 3 739->742 740->688 742->740 760->627 761->627 762->627 763->627 764->627 765->627 766->578 767->578 768->578 769->726 770->726
                                                                                                                                                      Strings
                                                                                                                                                      Memory Dump Source
                                                                                                                                                      • Source File: 00000000.00000002.1898999566.0000000005E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                      • Snapshot File: hcaresult_0_2_5e30000_SecuriteInfo.jbxd
                                                                                                                                                      Similarity
                                                                                                                                                      • API ID:
                                                                                                                                                      • String ID: (oq$(oq$(oq$0oNp$DqNp$LjNp
                                                                                                                                                      • API String ID: 0-2217272392
                                                                                                                                                      • Opcode ID: ae556b751fab081bfbf44a2c32d33386d8cadc6f2472161d87eb85a60694f5ed
                                                                                                                                                      • Instruction ID: a80bb5a49dc8c23fcd93b5321b41210133c394e33b90fe9c9e652fac4bcf1c41
                                                                                                                                                      • Opcode Fuzzy Hash: ae556b751fab081bfbf44a2c32d33386d8cadc6f2472161d87eb85a60694f5ed
                                                                                                                                                      • Instruction Fuzzy Hash: 30623B75A002189FDB14DF69C489AADBBF6FF88310F1580A9E846DB365DB35EC41CB50
                                                                                                                                                      Uniqueness

                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                      Function 05E3BCE4 Relevance: 3.4, Strings: 2, Instructions: 890COMMON
                                                                                                                                                      Download Yara Rule

                                                                                                                                                      Control-flow Graph

                                                                                                                                                      • Executed
                                                                                                                                                      • Not Executed
                                                                                                                                                      control_flow_graph 1051 5e3bce4-5e3bd1b 1052 5e3bd82-5e3bd90 1051->1052 1053 5e3bd1d-5e3bd21 1051->1053 1056 5e3bdc3 1052->1056 1057 5e3bd92-5e3bd94 1052->1057 1054 5e3bd23-5e3bd71 1053->1054 1055 5e3bd79 1053->1055 1054->1055 1055->1052 1058 5e3bdc5-5e3bdc9 1056->1058 1059 5e3bd96-5e3bd98 1057->1059 1060 5e3bd9a-5e3bdb4 1057->1060 1062 5e3be1b-5e3be27 1058->1062 1063 5e3bdcb-5e3be0a 1058->1063 1064