Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GbZkRO8wav.exe

Overview

General Information

Sample name:GbZkRO8wav.exe
renamed because original name is a hash value
Original sample name:5a2a3883dbb564b4ae87d05707d4cd5d.exe
Analysis ID:1410598
MD5:5a2a3883dbb564b4ae87d05707d4cd5d
SHA1:b277cc5fd2358ba865e011fe9d8c2f89c40a0649
SHA256:939bd5097a5a1c3d3ecae7d6f90194e47a6d20fa0e7c21d68679be9ea5c65f2f
Tags:32exetrojan
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • GbZkRO8wav.exe (PID: 6640 cmdline: C:\Users\user\Desktop\GbZkRO8wav.exe MD5: 5A2A3883DBB564B4AE87D05707D4CD5D)
    • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.15.156.127:48665"], "Authorization Header": "e10fca6d250234006804955717161ae9"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.2820958513.0000000000AE4000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000000.00000002.2821360432.0000000000D72000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: GbZkRO8wav.exe PID: 6640JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.GbZkRO8wav.exe.ae5e58.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.GbZkRO8wav.exe.ae5e58.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.GbZkRO8wav.exe.d70000.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:03/18/24-07:31:04.775194
                      SID:2043234
                      Source Port:48665
                      Destination Port:49729
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-07:31:10.484173
                      SID:2046056
                      Source Port:48665
                      Destination Port:49729
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-07:32:57.280683
                      SID:2043231
                      Source Port:49729
                      Destination Port:48665
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-07:31:04.561191
                      SID:2046045
                      Source Port:49729
                      Destination Port:48665
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: 45.15.156.127:48665Avira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 0.2.GbZkRO8wav.exe.ae5e58.0.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["45.15.156.127:48665"], "Authorization Header": "e10fca6d250234006804955717161ae9"}
                      Multi AV Scanner detection for domain / URL
                      Source: 45.15.156.127:48665Virustotal: Detection: 14%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: GbZkRO8wav.exeReversingLabs: Detection: 73%
                      Source: GbZkRO8wav.exeVirustotal: Detection: 78%Perma Link
                      Machine Learning detection for sample
                      Source: GbZkRO8wav.exeJoe Sandbox ML: detected
                      Source: GbZkRO8wav.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
                      Source: GbZkRO8wav.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: ActionCenter.pdb source: GbZkRO8wav.exe
                      Source: Binary string: ActionCenter.pdbUGP source: GbZkRO8wav.exe
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 4x nop then jmp 078D844Dh0_2_078D842C
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 4x nop then jmp 07E7959Bh0_2_07E792D8
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 4x nop then jmp 07E765BAh0_2_07E75D18
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 4x nop then jmp 07E7CEC8h0_2_07E7C9D0
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 4x nop then jmp 07E7AAC3h0_2_07E7A800
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 4x nop then jmp 07E78629h0_2_07E78611
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 4x nop then jmp 07E7613Ah0_2_07E76124
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 4x nop then jmp 07E7613Ah0_2_07E76094

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49729 -> 45.15.156.127:48665
                      Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49729 -> 45.15.156.127:48665
                      Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 45.15.156.127:48665 -> 192.168.2.4:49729
                      Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 45.15.156.127:48665 -> 192.168.2.4:49729
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 45.15.156.127:48665
                      Source: global trafficTCP traffic: 192.168.2.4:49729 -> 45.15.156.127:48665
                      Source: Joe Sandbox ViewIP Address: 45.15.156.127 45.15.156.127
                      Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003736000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14V
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                      Source: GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2820958513.0000000000AE4000.00000004.00000010.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2821360432.0000000000D72000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                      Source: GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_0115DC740_2_0115DC74
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D77800_2_078D7780
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D47F00_2_078D47F0
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078DA6C00_2_078DA6C0
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D4E490_2_078D4E49
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D84E00_2_078D84E0
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D63D80_2_078D63D8
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D6B220_2_078D6B22
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D52C90_2_078D52C9
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D09800_2_078D0980
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D59D00_2_078D59D0
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D40180_2_078D4018
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D378F0_2_078D378F
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D37A00_2_078D37A0
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D84D10_2_078D84D1
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D33E00_2_078D33E0
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D12890_2_078D1289
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D12980_2_078D1298
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D59C00_2_078D59C0
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_078D09700_2_078D0970
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E775C00_2_07E775C0
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E792D80_2_07E792D8
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E7B2300_2_07E7B230
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E76F800_2_07E76F80
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E77D280_2_07E77D28
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E75D180_2_07E75D18
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E78BE10_2_07E78BE1
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E7EA600_2_07E7EA60
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E7C9D00_2_07E7C9D0
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E742480_2_07E74248
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E742380_2_07E74238
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E76F700_2_07E76F70
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E79DD00_2_07E79DD0
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E75D090_2_07E75D09
                      Source: GbZkRO8wav.exeStatic PE information: Number of sections : 16 > 10
                      Source: GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs GbZkRO8wav.exe
                      Source: GbZkRO8wav.exe, 00000000.00000002.2820958513.0000000000AE4000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWitloofs.exe8 vs GbZkRO8wav.exe
                      Source: GbZkRO8wav.exe, 00000000.00000000.1633068499.0000000000BF9000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameACTIONCENTER.DLLj% vs GbZkRO8wav.exe
                      Source: GbZkRO8wav.exe, 00000000.00000002.2822248292.000000000116E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs GbZkRO8wav.exe
                      Source: GbZkRO8wav.exe, 00000000.00000002.2821155073.0000000000BFA000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameACTIONCENTER.DLLj% vs GbZkRO8wav.exe
                      Source: GbZkRO8wav.exe, 00000000.00000002.2821393374.0000000000DB4000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWitloofs.exe8 vs GbZkRO8wav.exe
                      Source: GbZkRO8wav.exeBinary or memory string: OriginalFilenameACTIONCENTER.DLLj% vs GbZkRO8wav.exe
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeSection loaded: ntasn1.dllJump to behavior
                      Source: GbZkRO8wav.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/1@0/1
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
                      Source: GbZkRO8wav.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: GbZkRO8wav.exeReversingLabs: Detection: 73%
                      Source: GbZkRO8wav.exeVirustotal: Detection: 78%
                      Source: unknownProcess created: C:\Users\user\Desktop\GbZkRO8wav.exe C:\Users\user\Desktop\GbZkRO8wav.exe
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: GbZkRO8wav.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: ActionCenter.pdb source: GbZkRO8wav.exe
                      Source: Binary string: ActionCenter.pdbUGP source: GbZkRO8wav.exe
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_00BF25C9 memcpy,VirtualAlloc,VirtualAlloc,memcpy,memcpy,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,memcpy,lstrlenW,CreateThread,CreateThread,Sleep,Sleep,memcpy,WaitForSingleObject,0_2_00BF25C9
                      Source: GbZkRO8wav.exeStatic PE information: section name: /4
                      Source: GbZkRO8wav.exeStatic PE information: section name: /14
                      Source: GbZkRO8wav.exeStatic PE information: section name: /29
                      Source: GbZkRO8wav.exeStatic PE information: section name: /41
                      Source: GbZkRO8wav.exeStatic PE information: section name: /55
                      Source: GbZkRO8wav.exeStatic PE information: section name: /67
                      Source: GbZkRO8wav.exeStatic PE information: section name: /80
                      Source: GbZkRO8wav.exeStatic PE information: section name: /91
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_00C49A9B push edi; retf 0_2_00C49A9D
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_00C49A4E push ecx; iretd 0_2_00C49A51
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_00C4C67B push 00000045h; iretd 0_2_00C4C681
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_00C4CBE2 pushfd ; retf 0_2_00C4CBEB
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_00C4D5B5 push esp; ret 0_2_00C4D5B9
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_00C4A12D push ebx; ret 0_2_00C4A133
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_00C4993C push eax; iretd 0_2_00C4993D
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E750C0 push 00000059h; ret 0_2_07E750CE
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E71B00 pushad ; ret 0_2_07E71B01
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E71A58 push esp; ret 0_2_07E71A59
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeMemory allocated: 1150000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeMemory allocated: 3660000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeMemory allocated: 3320000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWindow / User API: threadDelayed 695Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWindow / User API: threadDelayed 2074Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exe TID: 7080Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exe TID: 6836Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: GbZkRO8wav.exe, 00000000.00000003.2820149822.0000000001245000.00000004.00000020.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2822248292.0000000001245000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_07E7B230 LdrInitializeThunk,0_2_07E7B230
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_00BF25C9 memcpy,VirtualAlloc,VirtualAlloc,memcpy,memcpy,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,memcpy,lstrlenW,CreateThread,CreateThread,Sleep,Sleep,memcpy,WaitForSingleObject,0_2_00BF25C9
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_00BF1160 Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,_cexit,exit,0_2_00BF1160
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeCode function: 0_2_00BF1187 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,__initenv,0_2_00BF1187
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: GbZkRO8wav.exe, 00000000.00000003.2807560130.0000000006071000.00000004.00000020.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2807513453.0000000006023000.00000004.00000020.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2818802933.000000000607C000.00000004.00000020.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2807981939.0000000005FEC000.00000004.00000020.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2807654772.000000000607B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.GbZkRO8wav.exe.ae5e58.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GbZkRO8wav.exe.ae5e58.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GbZkRO8wav.exe.d70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2820958513.0000000000AE4000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2821360432.0000000000D72000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: GbZkRO8wav.exe PID: 6640, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                      Source: C:\Users\user\Desktop\GbZkRO8wav.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                      Source: Yara matchFile source: 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: GbZkRO8wav.exe PID: 6640, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.GbZkRO8wav.exe.ae5e58.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GbZkRO8wav.exe.ae5e58.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GbZkRO8wav.exe.d70000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2820958513.0000000000AE4000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2821360432.0000000000D72000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: GbZkRO8wav.exe PID: 6640, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		231
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Native API                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                      Virtualization/Sandbox Evasion                      		Security Account Manager241
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                      Obfuscated Files or Information                      		LSA Secrets113
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      GbZkRO8wav.exe74%ReversingLabsWin32.Trojan.RedLine
                      GbZkRO8wav.exe78%VirustotalBrowse
                      GbZkRO8wav.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                      http://tempuri.org/0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                      http://tempuri.org/1%VirustotalBrowse
                      45.15.156.127:48665100%Avira URL Cloudmalware
                      http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                      http://tempuri.org/Entity/Id91%VirustotalBrowse
                      http://tempuri.org/Entity/Id81%VirustotalBrowse
                      http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                      http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                      45.15.156.127:4866514%VirustotalBrowse
                      http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id41%VirustotalBrowse
                      http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id51%VirustotalBrowse
                      http://tempuri.org/Entity/Id71%VirustotalBrowse
                      http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id14V0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id61%VirustotalBrowse
                      http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                      http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id14V1%VirustotalBrowse
                      http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id201%VirustotalBrowse
                      http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id211%VirustotalBrowse
                      http://tempuri.org/Entity/Id24Response1%VirustotalBrowse
                      http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id231%VirustotalBrowse
                      http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id101%VirustotalBrowse
                      http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id241%VirustotalBrowse
                      http://tempuri.org/Entity/Id111%VirustotalBrowse
                      http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id121%VirustotalBrowse
                      http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id221%VirustotalBrowse
                      http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      45.15.156.127:48665true
                      • 14%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtabGbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id14ResponseDGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003942000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/Entity/Id23ResponseDGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003942000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id12ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 2%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id2ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 2%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 4%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id9GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id8GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id6ResponseDGbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id5GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id4GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id7GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id6GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id19ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 2%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id13ResponseDGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • 1%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsatGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id15ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • 2%, Virustotal, Browse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://tempuri.org/Entity/Id5ResponseDGbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • 2%, Virustotal, Browse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://tempuri.org/Entity/Id14VGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • 1%, Virustotal, Browse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id6ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • 2%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.ip.sb/ipGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2820958513.0000000000AE4000.00000004.00000010.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2821360432.0000000000D72000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/scGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id1ResponseDGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id9ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 2%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id20GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id21GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id22GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id23GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 1%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id24GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • 1%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id24ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 1%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://www.ecosia.org/newtab/GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B4A000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003B6B000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000003.2808721570.0000000004B30000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003BA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id1ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • 2%, Virustotal, Browse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id21ResponseDGbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressingGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trustGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id10GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003736000.00000004.00000800.00020000.00000000.sdmp, GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id11GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id10ResponseDGbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id12GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id16ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 2%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id13GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id14GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id15GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id16GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/NonceGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id17GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id18GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id5ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id19GbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id15ResponseDGbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id10ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id11ResponseDGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id8ResponseGbZkRO8wav.exe, 00000000.00000002.2824151021.0000000003661000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0GbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityGbZkRO8wav.exe, 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id17ResponseDGbZkRO8wav.exe, 00000000.00000002.2824151021.000000000373E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            45.15.156.127
                                                                                                                            		unknownRussian Federation
                                                                                                                            		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                            Analysis ID:1410598
                                                                                                                            Start date and time:2024-03-18 07:30:09 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 5m 15s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:6
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:GbZkRO8wav.exe
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:5a2a3883dbb564b4ae87d05707d4cd5d.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@2/1@0/1
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 99%
                                                                                                                            • Number of executed functions: 48
                                                                                                                            • Number of non-executed functions: 23
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            07:32:55API Interceptor15x Sleep call for process: GbZkRO8wav.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            45.15.156.127lnker.lnkGet hashmaliciousRedLineBrowse
                                                                                                                              driver.exeGet hashmaliciousRedLineBrowse
                                                                                                                                Eclipse.exeGet hashmaliciousAsyncRAT, PureLog Stealer, RHADAMANTHYS, RedLine, XWorm, zgRATBrowse
                                                                                                                                  7bXVSwc9dp.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                    SecuriteInfo.com.Trojan.Agent.446.6903.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      axfdj9gfw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                        last.exeGet hashmaliciousRedLine, XmrigBrowse
                                                                                                                                          edgag365.exeGet hashmaliciousRedLineBrowse
                                                                                                                                            Shxdow.exeGet hashmaliciousRedLineBrowse
                                                                                                                                              GLP3Q0PFY4.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASNs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU1nj V2.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 45.15.156.142
                                                                                                                                                Setup.exeGet hashmaliciousLummaC, PureLog Stealer, XmrigBrowse
                                                                                                                                                • 45.15.156.43
                                                                                                                                                tUQhE2rI9a.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                                                • 45.15.156.43
                                                                                                                                                hQmSR2hm9z.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                • 5.42.35.254
                                                                                                                                                ld7ipzWnHE.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                                • 5.42.65.117
                                                                                                                                                QN1omDissd.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, Stealc, VidarBrowse
                                                                                                                                                • 5.42.64.44
                                                                                                                                                AwV2hldmu0.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, Stealc, VidarBrowse
                                                                                                                                                • 5.42.64.44
                                                                                                                                                BIG BASE 50,000 CC LEAKED FOR FREE --- VALID RATE 30% .txt.pif.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                • 5.42.65.15
                                                                                                                                                jKiqguIdjl.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                                                • 5.42.65.31
                                                                                                                                                file.exeGet hashmaliciousAmadey, GluptebaBrowse
                                                                                                                                                • 5.42.64.44

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\GbZkRO8wav.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3094
                                                                                                                                                Entropy (8bit):5.33145931749415
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                                                MD5:3FD5C0634443FB2EF2796B9636159CB6
                                                                                                                                                SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                                                                                                                                SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                                                                                                                                SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Entropy (8bit):6.549680372656925
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                                                                • InstallShield setup (43055/19) 0.43%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                File name:GbZkRO8wav.exe
                                                                                                                                                File size:693'494 bytes
                                                                                                                                                MD5:5a2a3883dbb564b4ae87d05707d4cd5d
                                                                                                                                                SHA1:b277cc5fd2358ba865e011fe9d8c2f89c40a0649
                                                                                                                                                SHA256:939bd5097a5a1c3d3ecae7d6f90194e47a6d20fa0e7c21d68679be9ea5c65f2f
                                                                                                                                                SHA512:6445528d36370335ee6d9ef7a8424e970e49730689d576755e23c83d603bbf6a09e2a1ebceee42149c0d16424a7256525cff478d5b352241ce65a4b0950c88aa
                                                                                                                                                SSDEEP:12288:2txcN49VQbkeWL/+wdxc38oZrYu1Oi2hZABT5gsMAE:2g4DUOL/+k5u1FaWgsMAE
                                                                                                                                                TLSH:8EE41AA4B25940BAF8E5D2B8F4730B419BF0E52E53879FD71329D25EAC33A81417931B
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..e.@.............'.t... ....................@.......................................@... ............................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:90cececece8e8eb0

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x4013f0
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:false
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows cui
                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                Time Stamp:0x65E9FC38 [Thu Mar 7 17:41:12 2024 UTC]
                                                                                                                                                TLS Callbacks:0x407350, 0x407300
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:e7d857a6b1d7de1b6c756d2d381fe554

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                mov dword ptr [004A4060h], 00000000h
                                                                                                                                                jmp 00007FCEAD2A4916h
                                                                                                                                                nop
                                                                                                                                                sub esp, 1Ch
                                                                                                                                                mov eax, dword ptr [esp+20h]
                                                                                                                                                mov dword ptr [esp], eax
                                                                                                                                                call 00007FCEAD2AB9F6h
                                                                                                                                                cmp eax, 01h
                                                                                                                                                sbb eax, eax
                                                                                                                                                add esp, 1Ch
                                                                                                                                                ret
                                                                                                                                                nop
                                                                                                                                                nop
                                                                                                                                                nop
                                                                                                                                                nop
                                                                                                                                                nop
                                                                                                                                                nop
                                                                                                                                                nop
                                                                                                                                                nop
                                                                                                                                                push ebp
                                                                                                                                                mov ebp, esp
                                                                                                                                                push edi
                                                                                                                                                push esi
                                                                                                                                                push ebx
                                                                                                                                                sub esp, 1Ch
                                                                                                                                                mov dword ptr [esp], 00458000h
                                                                                                                                                call dword ptr [004A5104h]
                                                                                                                                                sub esp, 04h
                                                                                                                                                test eax, eax
                                                                                                                                                je 00007FCEAD2A4C25h
                                                                                                                                                mov ebx, eax
                                                                                                                                                mov dword ptr [esp], 00458000h
                                                                                                                                                call dword ptr [004A5114h]
                                                                                                                                                mov edi, dword ptr [004A5108h]
                                                                                                                                                sub esp, 04h
                                                                                                                                                mov dword ptr [004A4020h], eax
                                                                                                                                                mov dword ptr [esp+04h], 00458013h
                                                                                                                                                mov dword ptr [esp], ebx
                                                                                                                                                call edi
                                                                                                                                                sub esp, 08h
                                                                                                                                                mov esi, eax
                                                                                                                                                mov dword ptr [esp+04h], 00458029h
                                                                                                                                                mov dword ptr [esp], ebx
                                                                                                                                                call edi
                                                                                                                                                sub esp, 08h
                                                                                                                                                mov dword ptr [00409000h], eax
                                                                                                                                                test esi, esi
                                                                                                                                                je 00007FCEAD2A4BC3h
                                                                                                                                                mov dword ptr [esp+04h], 004A4024h
                                                                                                                                                mov dword ptr [esp], 004A3104h
                                                                                                                                                call esi
                                                                                                                                                mov dword ptr [esp], 004014C0h
                                                                                                                                                call 00007FCEAD2A4B13h
                                                                                                                                                lea esp, dword ptr [ebp-0Ch]
                                                                                                                                                pop ebx
                                                                                                                                                pop esi
                                                                                                                                                pop edi
                                                                                                                                                pop ebp
                                                                                                                                                ret
                                                                                                                                                lea esi, dword ptr [esi+00000000h]
                                                                                                                                                mov eax, 00000000h
                                                                                                                                                mov esi, 00000000h

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa50000x4c8.idata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa80000x6cc.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0xa21000x18.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0xa50ec0xb0.idata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x10000x72e40x740074e8f805ccf168279ff04614e2badd51False0.5823006465517241data6.214582780953433IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .data0x90000x4eae40x4ec002d46c115442f8e9a6808ad5dfd812d01False0.38394097222222223data5.699285244984914IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .rdata0x580000x4a3dc0x4a400417921427580e042424ae3ff71c66fa2False0.5672052556818182data6.554379885183367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                /40xa30000x8780xa00b7b716b8d04a9cc1f78ee95f6896cbc8False0.381640625data4.2115834067786615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .bss0xa40000xb40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .idata0xa50000x4c80x600cb918f4f46d758adf1f6582eb0bef404False0.3821614583333333data4.268630174129219IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .CRT0xa60000x300x2006db04e43bbf2d0296bc3733768940703False0.060546875data0.2005819074398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .tls0xa70000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .reloc0xa80000x6cc0x800bdb694af8a5572396a8bd7b110049f7bFalse0.7626953125data6.174888764366186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                /140xa90000x380x200d72390d2be68565b7713b67658653429False0.068359375Matlab v4 mat-file (little endian) *, rows 2, columns 2621440.2162069074398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                /290xaa0000xf900x1000ea5221ef583a767121f372cffacca545False0.385009765625data5.207600460490483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                /410xab0000xaf0x200559a85e909e773073b8b6d2f9bb39a3aFalse0.294921875data2.128627013155538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                /550xac0000xa00x20086772e0acc535194b34c9872681f3a71False0.216796875data1.4730559609214668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                /670xad0000x380x200d347abad98891986aa5e8bdd56b59062False0.1171875data0.6745765448489234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                /800xae0000xa30x2001bc45059f0d7f969b315a0a3952c1460False0.279296875data2.4397345742604513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                /910xaf0000x1f80x2009c35e75102ba33cda78bcb75595d04e4False0.330078125data4.770094291751421IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                KERNEL32.dllCreateThread, DeleteCriticalSection, EnterCriticalSection, FreeConsole, FreeLibrary, GetLastError, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualProtect, VirtualQuery, WaitForSingleObject, lstrlenW
                                                                                                                                                msvcrt.dll__getmainargs, __initenv, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _initterm, _iob, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, strlen, strncmp, vfprintf

                                                                                                                                                Network Behavior

                                                                                                                                                Snort IDS Alerts

                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                03/18/24-07:31:04.775194TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response486654972945.15.156.127192.168.2.4
                                                                                                                                                03/18/24-07:31:10.484173TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)486654972945.15.156.127192.168.2.4
                                                                                                                                                03/18/24-07:32:57.280683TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4972948665192.168.2.445.15.156.127
                                                                                                                                                03/18/24-07:31:04.561191TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4972948665192.168.2.445.15.156.127

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Mar 18, 2024 07:31:03.588308096 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:03.799721003 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:03.799822092 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:03.921761036 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:04.134156942 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:04.186094999 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:04.561191082 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:04.775193930 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:04.824403048 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:10.265126944 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:10.484173059 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:10.484558105 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:10.484637976 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:10.484694004 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:10.484725952 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:10.484745026 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:10.484770060 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:10.527504921 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:10.837644100 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:10.922801971 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:10.922929049 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:11.055530071 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:11.069320917 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:11.433756113 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:11.581829071 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:11.581923008 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:11.657836914 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:11.699496984 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:11.739195108 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:12.105809927 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:12.196201086 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:12.196269989 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:12.716007948 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:12.716208935 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:12.855745077 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:13.110392094 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:13.111326933 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:15.702147007 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:20.871287107 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:21.125497103 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:39.214989901 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:39.466913939 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:39.467175961 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:39.678945065 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:39.679136038 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:39.891180992 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:39.891196012 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:39.891370058 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:40.103285074 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:40.104759932 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:40.110657930 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:40.322565079 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:40.332055092 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:40.543895960 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:40.589984894 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:40.667032957 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:40.878707886 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:40.911165953 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:41.123130083 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:41.137324095 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:41.350245953 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:41.367131948 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:41.579025030 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:41.585689068 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:41.797580004 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:41.798724890 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:42.010241032 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.058762074 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:42.202424049 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:42.414499044 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.414664984 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.414931059 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.415015936 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:42.455147982 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.455334902 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:42.626359940 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.626429081 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:42.626805067 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.626859903 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.626950979 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.627046108 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:42.666690111 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.666867971 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:42.706969976 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.707272053 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:42.837718010 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.838484049 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.838618040 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.838710070 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:42.878149986 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.878235102 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:42.959487915 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:42.959566116 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.051635981 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.051695108 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.051724911 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.051762104 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.051827908 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.051868916 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.051899910 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.051919937 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.089910030 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.090214014 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.170912027 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.171000957 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.263348103 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.263380051 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.263422966 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.263464928 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.263582945 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.263648033 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.263890982 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.263958931 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.301727057 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.301825047 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.382756948 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.382847071 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.474884033 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.474997997 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.475578070 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.475589991 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.475662947 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.475667000 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.475692034 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.475739956 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.475774050 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.513113976 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.513127089 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.513238907 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.664853096 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.665090084 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.665097952 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.665185928 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.665314913 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.691318035 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.691514015 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.876388073 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.876492023 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.876532078 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.876540899 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.876609087 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.876629114 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.876966953 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.877027035 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:43.904649019 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:43.904839993 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.087991953 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.088025093 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.088083982 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.088118076 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.088309050 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.088325024 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.088340044 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.088504076 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.116067886 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.116102934 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.116312027 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.299576044 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.299655914 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.327662945 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.327750921 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.327927113 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.327991962 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.328443050 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.328526020 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.511069059 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.511281967 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.539665937 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.539683104 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.539890051 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.539891005 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.539917946 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.539966106 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.540009975 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.540009975 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.540056944 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.723017931 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.723227024 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.751310110 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.751537085 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.751991034 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.752007961 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.752073050 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.754400969 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.754482985 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.754869938 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.754934072 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.934833050 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.934932947 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.973268986 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.973359108 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.973464012 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.973521948 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.973602057 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.973663092 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.973989010 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.974034071 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:44.974147081 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:44.974220037 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.009871006 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.009965897 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.149430037 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.149604082 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.185935020 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.186059952 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.186121941 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.186187983 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.186687946 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.186774015 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.186871052 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.186928034 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.187657118 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.187697887 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.187712908 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.187722921 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.187733889 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.187751055 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.187813997 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.300287962 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.300448895 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.369098902 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.369316101 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.402358055 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.402370930 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.402379990 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.402385950 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.402513981 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.406632900 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.406680107 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.406689882 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.406717062 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.406763077 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.442457914 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.442526102 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.552972078 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.553056955 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.592989922 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.593291044 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.623049974 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.623060942 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.623136997 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.623155117 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.623214006 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.623220921 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.623306990 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.654850006 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.654942036 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.814626932 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.814640045 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.814846992 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.843656063 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.843812943 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.843842983 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.843854904 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.843872070 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.843913078 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.843986988 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.843986988 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:45.887986898 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:45.888062000 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.060205936 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.060225010 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.060235023 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.060245037 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.060256004 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.060266018 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.060286045 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.060317039 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.060338974 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.060360909 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.060395002 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.107213974 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.107296944 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.334811926 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.334922075 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.334939957 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.335000038 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.335011959 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.335089922 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.365804911 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.366013050 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.546396971 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.546511889 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.546756983 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.546768904 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.546777964 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.546842098 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.643768072 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.643835068 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.758920908 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.759067059 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.759171009 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.759233952 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.759947062 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.760015965 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:46.760109901 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:46.760169029 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:47.032383919 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:47.032470942 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:47.496330976 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:47.623536110 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:48.418101072 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:48.634287119 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:48.634393930 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:48.846443892 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:48.846462011 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:48.846571922 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:48.846571922 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:49.128182888 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:49.128200054 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:49.130911112 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:49.343931913 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:49.344139099 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:49.555890083 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:49.555907965 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:49.555953979 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:49.555985928 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:49.556699038 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:49.556746006 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:49.767343998 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:49.767365932 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:49.767432928 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:49.768558979 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:50.001435995 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:50.001534939 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:50.237291098 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:50.237382889 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:50.450737953 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:50.450830936 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:50.665019989 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:50.665111065 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:50.666327953 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:50.666389942 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:50.879409075 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:50.879612923 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:50.959943056 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:50.960015059 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:51.094302893 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:51.094387054 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:51.358191013 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:51.358254910 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:51.358661890 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:51.358715057 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:51.641239882 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:51.641321898 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:51.641343117 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:51.641376019 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:52.058929920 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:52.886918068 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:53.141688108 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:53.141786098 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:53.375157118 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:53.375261068 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:53.377393007 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:54.148467064 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:54.148479939 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:54.148756027 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:54.372827053 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:57.027538061 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:59.789401054 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:31:59.789782047 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:31:59.789901018 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:01.209300995 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:01.209330082 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:01.209409952 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:02.209651947 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:02.209749937 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:03.158480883 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:03.158603907 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:03.159280062 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:03.159337044 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:03.371937990 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:03.372033119 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:03.372807026 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:03.372881889 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:04.239518881 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:04.239532948 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:04.239545107 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:04.239641905 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:05.985035896 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:05.985142946 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:05.985312939 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:05.985402107 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:05.986654043 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:05.986718893 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:05.986885071 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:05.986946106 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:06.209939957 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:06.209953070 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:06.209964991 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:06.209995031 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:06.210037947 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:06.210078955 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:06.210078955 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:09.902468920 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:17.261948109 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:17.473222017 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:17.473443031 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:17.685055017 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:17.685101032 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:17.685133934 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:17.896997929 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:17.897011995 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:17.897054911 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:17.897106886 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:17.897161961 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:18.108517885 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:18.108562946 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:18.108603001 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:18.108747005 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:18.109314919 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:18.320147038 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:18.320358992 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:18.320606947 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:18.320662975 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:18.320686102 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:18.320734978 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:19.464032888 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:19.464063883 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:19.464099884 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:19.464122057 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:19.464159966 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:19.464169979 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:19.679725885 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:22.949341059 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:23.180197001 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:23.180320024 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:26.668090105 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:33.636854887 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:33.848392963 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:33.848494053 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:35.324352026 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:35.601385117 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:35.601459026 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:35.814150095 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:39.011950016 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:39.223371029 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:39.223496914 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:39.223560095 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:39.438628912 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:39.438747883 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:39.438822985 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:39.654038906 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:39.654057980 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:39.654170036 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:39.654222965 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:39.654309034 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:39.871134996 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:39.871151924 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:39.871243954 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:39.871771097 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:43.074382067 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:43.296618938 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:43.296719074 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:43.517313004 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:43.517374992 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:43.517416954 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:43.731254101 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:43.731354952 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:43.947072029 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:43.947148085 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:46.933697939 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:47.185825109 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:47.185887098 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:47.186113119 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:47.397448063 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:47.397556067 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:47.400856018 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:47.610934019 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:47.610949993 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:47.611085892 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:47.829504013 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:47.829569101 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:50.339946032 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:50.592194080 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:50.592272043 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:50.803819895 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:50.803913116 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:51.015497923 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:51.015512943 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:51.015604973 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:51.227093935 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:51.227361917 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:51.267513037 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:51.267577887 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:51.438819885 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:51.438981056 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:51.518866062 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:51.518985987 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:51.651021957 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:51.651165962 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:51.770860910 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:51.770924091 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:51.862715006 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:51.862776995 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:52.022737980 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:52.022800922 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:52.074136019 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:52.074208021 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:52.274518967 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:52.274609089 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:52.285751104 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:52.285823107 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:52.497071028 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:52.497149944 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:52.537493944 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:52.537583113 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:52.708626032 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:52.708705902 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:52.749335051 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:52.749413013 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:52.920198917 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:52.920268059 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:52.960711002 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:52.960777998 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.132225990 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.132287025 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.172162056 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.172255039 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.172369003 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.172422886 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.343866110 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.343949080 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.383454084 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.383522034 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.383780956 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.383843899 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.555629969 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.555722952 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.597223997 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.597312927 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.635812044 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.635987043 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.767107964 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.767179012 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.767384052 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.767446041 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.810657024 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.810730934 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.847603083 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.847680092 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:53.982851982 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:53.982925892 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:54.019368887 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:54.019438982 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:54.022149086 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:54.022208929 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:54.059102058 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:54.059149981 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:54.194472075 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:54.194675922 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:54.230813980 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:54.233530045 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:54.233689070 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:54.270818949 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:54.406341076 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:54.407792091 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:54.449296951 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:54.677125931 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:54.889743090 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:54.933732986 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:55.083364964 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:55.295264959 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:55.307131052 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:55.519145012 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:55.526309967 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:55.738198042 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:55.793057919 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:56.622344971 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:56.833893061 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:56.835222960 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:56.853283882 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:57.064783096 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:57.065140963 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:57.065160036 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:57.066227913 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:57.066783905 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:57.279584885 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:57.280683041 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:57.496053934 CET486654972945.15.156.127192.168.2.4
                                                                                                                                                Mar 18, 2024 07:32:57.543064117 CET4972948665192.168.2.445.15.156.127
                                                                                                                                                Mar 18, 2024 07:32:57.648565054 CET4972948665192.168.2.445.15.156.127

                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:07:30:58
                                                                                                                                                Start date:18/03/2024
                                                                                                                                                Path:C:\Users\user\Desktop\GbZkRO8wav.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Users\user\Desktop\GbZkRO8wav.exe
                                                                                                                                                Imagebase:0xbf0000
                                                                                                                                                File size:693'494 bytes
                                                                                                                                                MD5 hash:5A2A3883DBB564B4AE87D05707D4CD5D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2824151021.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2820958513.0000000000AE4000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2821360432.0000000000D72000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:1
                                                                                                                                                Start time:07:30:58
                                                                                                                                                Start date:18/03/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >